Werk #13193: XSS in report editing
| Component | Reporting & availability | ||||||
| Title | XSS in report editing | ||||||
| Date | Sep 24, 2021 | ||||||
| Level | Trivial Change | ||||||
| Class | Security Fix | ||||||
| Compatibility | Compatible - no manual interaction needed | ||||||
| Checkmk versions & editions |
|
It was possible to Inject HTML code in various Content elments. This could also be used in shared reports.
CVSS: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H 9.0
Affected Versions: all below
Workarounds: Disallow users to customize reports (Set 'General Permissions' > 'Customize reports and use them' to no)
Exploit detections: Check var/check_mk/web/*/user_reports.mk for html specialchars.