Werk #2387: Fixed XSS problem on all pages using confirm dialogs outputting user provided parameters
Component | User interface | ||
Title | Fixed XSS problem on all pages using confirm dialogs outputting user provided parameters | ||
Date | Jun 30, 2015 | ||
Level | Trivial Change | ||
Class | Security Fix | ||
Compatibility | Compatible - no manual interaction needed | ||
Checkmk versions & editions |
|
On some pages, like for example the host group management page of WATO, it was possible to inject user provided HTML/Javascript code into the confirm messages. An attacker could use this to let an authenticated user open a prepared URL for privilege escalation within the GUI.