Werk #17024: Fix XSS in Crash Report Page
Component | Setup | ||||||||
Title | Fix XSS in Crash Report Page | ||||||||
Date | Jun 6, 2024 | ||||||||
Level | Trivial Change | ||||||||
Class | Security Fix | ||||||||
Compatibility | Compatible - no manual interaction needed | ||||||||
Checkmk versions & editions |
|
Prior to this Werk, it was possible to inject HTML elements into Crash report
URL in the Global settings, leading to an XSS
vulnerability in the Crash reports page.
This vulnerability was identified during a commissioned penetration test conducted by PS Positive Security GmbH.
Affected Versions:
- 2.3.0
- 2.2.0
- 2.1.0
- 2.0.0 (EOL)
Indicators of Compromise:
Check the crash report HTTP URL in the Global settings for suspicious HTML elements.
Vulnerability Management:
We have rated the issue with a CVSS Score of 4.8 Medium with the following CVSS vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
.
and assigned CVE-2024-28832
.