Werk #17059: Escape user input on load failure of visuals

Component

User interface

Title

Escape user input on load failure of visuals

Date

Jun 26, 2024

Level

Trivial Change

Class

Security Fix

Compatibility

Compatible - no manual interaction needed

Checkmk versions & editions

2.4.0b1	Checkmk Raw (CRE), Checkmk Enterprise (CEE), Checkmk Cloud (CCE), Checkmk MSP (CME)
2.3.0p8	Checkmk Raw (CRE), Checkmk Enterprise (CEE), Checkmk Cloud (CCE), Checkmk MSP (CME)
2.2.0p28	Checkmk Raw (CRE), Checkmk Enterprise (CEE), Checkmk Cloud (CCE), Checkmk MSP (CME)
2.1.0p45	Checkmk Raw (CRE), Checkmk Enterprise (CEE), Checkmk MSP (CME)

An attacker could create phishing links that take Checkmk users to their Checkmk installation and lure them into a malicious link if a visual (view/dashboard/report) did not exist.

Affected Versions:

LI: 2.3.0 LI: 2.2.0 LI: 2.1.0 LI: 2.0.0 (EOL)

Vulnerability Management:

We have rated the issue with a CVSS Score of <4.3 (Medium)> with the following CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N and assigned CVE CVE-2024-38857.

To the list of all Werks