Werk #17025: Fix XSS in confirmation pop-up
| Component | Setup |
| Title | Fix XSS in confirmation pop-up |
| Date | Jun 10, 2024 |
| Checkmk Edition | Checkmk Raw (CRE) |
| Checkmk Version | 2.2.0p28 2.3.0p7 2.4.0b1 |
| Level | Trivial Change |
| Class | Security Fix |
| Compatibility | Compatible - no manual interaction needed |
Prior to this Werk, there was a potential for HTML elements from user inputs to be rendered in certain confirmation pop-ups, leading to an XSS vulnerability.
This vulnerability was identified during a commissioned penetration test conducted by PS Positive Security GmbH.
Affected Versions:
- 2.3.0
- 2.2.0
Indicators of Compromise:
Injected HTML elements in some specific user input fields with no proper escaping that are displayed in the confirmation pop-up.
Vulnerability Management:
We have rated the issue with a CVSS Score of 5.4 (Medium) with the following CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N, and assigned CVE-2024-28831.