Werk #16618: Fix XSS in graph rendering
| Component | Setup | ||||
| Title | Fix XSS in graph rendering | ||||
| Date | Apr 4, 2024 | ||||
| Level | Trivial Change | ||||
| Class | Security Fix | ||||
| Compatibility | Compatible - no manual interaction needed | ||||
| Checkmk versions & editions |
|
Prior to this Werk a service name with html tags lead to cross site scripting in the graph rendering.
We found this vulnerability internally.
Affected Versions:
Only 2.3.0 is affected, older versions are NOT affected.
Vulnerability Management:
We have rated the issue with a CVSS Score of 4.6 (Medium) with the following CVSS vector:
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N.
We assigned CVE-2024-2380 to this vulnerability.
Changes:
This Werk changes the encoding engine to use our customized JSON encoder.