Werk #17026: Fix XSS in view page with SLA column

Component

Setup

Title

Fix XSS in view page with SLA column

Date

Aug 15, 2024

Level

Trivial Change

Class

Security Fix

Compatibility

Compatible - no manual interaction needed

Checkmk versions & editions

2.4.0b1	Checkmk Enterprise (CEE), Checkmk Cloud (CCE), Checkmk MSP (CME)
2.3.0p14	Checkmk Enterprise (CEE), Checkmk Cloud (CCE), Checkmk MSP (CME)
2.2.0p33	Checkmk Enterprise (CEE), Checkmk Cloud (CCE), Checkmk MSP (CME)
2.1.0p48	Checkmk Enterprise (CEE), Checkmk MSP (CME)

Prior to this werk, the SLA (Service Level Agreement) titles were being rendered as HTML in the view page without proper escaping, leading to a potential XSS vulnerability.

Affected Versions:

2.3.0
2.2.0
2.1.0
2.0.0 (EOL)

Indicators of Compromise:

Cloning the view page of untrusted users who have injected HTML into the SLA titles.

Vulnerability Management:

We have rated the issue with a CVSS score of 4.8 (medium) with the following CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N, and assigned CVE-2024-38859.

To the list of all Werks