Werk #17025: Fix XSS in confirmation pop-up
Component | Setup | ||||||
Title | Fix XSS in confirmation pop-up | ||||||
Date | Jun 10, 2024 | ||||||
Level | Trivial Change | ||||||
Class | Security Fix | ||||||
Compatibility | Compatible - no manual interaction needed | ||||||
Checkmk versions & editions |
|
Prior to this Werk, there was a potential for HTML elements from user inputs to be rendered in certain confirmation pop-ups, leading to an XSS vulnerability.
This vulnerability was identified during a commissioned penetration test conducted by PS Positive Security GmbH.
Affected Versions:
- 2.3.0
- 2.2.0
Indicators of Compromise:
Injected HTML elements in some specific user input fields with no proper escaping that are displayed in the confirmation pop-up.
Vulnerability Management:
We have rated the issue with a CVSS Score of 5.4 (Medium) with the following CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
, and assigned CVE-2024-28831
.