Werk #17026: Fix XSS in view page with SLA column
Component | Setup | ||||||||
Title | Fix XSS in view page with SLA column | ||||||||
Date | Aug 15, 2024 | ||||||||
Level | Trivial Change | ||||||||
Class | Security Fix | ||||||||
Compatibility | Compatible - no manual interaction needed | ||||||||
Checkmk versions & editions |
|
Prior to this werk, the SLA (Service Level Agreement) titles were being rendered as HTML in the view page without proper escaping, leading to a potential XSS vulnerability.
Affected Versions:
- 2.3.0
- 2.2.0
- 2.1.0
- 2.0.0 (EOL)
Indicators of Compromise:
Cloning the view page of untrusted users who have injected HTML into the SLA titles.
Vulnerability Management:
We have rated the issue with a CVSS score of 4.8 (medium) with the following CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
, and assigned CVE-2024-38859
.