Werk #17024: Fix XSS in Crash Report Page
| Component | Setup |
| Title | Fix XSS in Crash Report Page |
| Date | Jun 6, 2024 |
| Checkmk Edition | Checkmk Raw (CRE) |
| Checkmk Version | 2.1.0p45 2.2.0p28 2.3.0p7 2.4.0b1 |
| Level | Trivial Change |
| Class | Security Fix |
| Compatibility | Compatible - no manual interaction needed |
Prior to this Werk, it was possible to inject HTML elements into Crash report
URL in the Global settings, leading to an XSS vulnerability in the Crash reports page.
This vulnerability was identified during a commissioned penetration test conducted by PS Positive Security GmbH.
Affected Versions:
- 2.3.0
- 2.2.0
- 2.1.0
- 2.0.0 (EOL)
Indicators of Compromise:
Check the crash report HTTP URL in the Global settings for suspicious HTML elements.
Vulnerability Management:
We have rated the issue with a CVSS Score of 4.8 Medium with the following CVSS vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N.
and assigned CVE-2024-28832.