back to website

Werk #13193: XSS in report editing

Component Reporting & availability
Title XSS in report editing
Date Sep 24, 2021
Level Trivial Change
Class Security Fix
Compatibility Compatible - no manual interaction needed
Checkmk versions & editions
2.1.0b1 Checkmk Enterprise (CEE), Checkmk MSP (CME)
2.0.0p12 Checkmk Enterprise (CEE), Checkmk MSP (CME)
1.6.0p26 Checkmk Enterprise (CEE), Checkmk MSP (CME)

It was possible to Inject HTML code in various Content elments. This could also be used in shared reports.

CVSS: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H 9.0 Affected Versions: all below Workarounds: Disallow users to customize reports (Set 'General Permissions' > 'Customize reports and use them' to no) Exploit detections: Check var/check_mk/web/*/user_reports.mk for html specialchars.

To the list of all Werks

The Checkmk logo (formerly known as Check_MK) is a trademark of Checkmk GmbH. ©2025 Checkmk GmbH. All rights reserved.

Join our Checkmk Conference #12 – the hybrid Monitoring Community event in Munich, on June 16-18 – to explore new Checkmk features, best practices, and our roadmap.

Register now