Checkmk 2.0 is here! See what's new.

Werk #2387: Fixed XSS problem on all pages using confirm dialogs outputting user provided parameters

Component GUI
Title Fixed XSS problem on all pages using confirm dialogs outputting user provided parameters
Date Jun 30, 2015
Checkmk Editon Checkmk Raw (CRE)
Checkmk Version 1.2.7i3
Level Trivial Change
Class Security Fix
Compatibility Compatible - no manual interaction needed

On some pages, like for example the host group management page of WATO, it was possible to inject user provided HTML/Javascript code into the confirm messages. An attacker could use this to let an authenticated user open a prepared URL for privilege escalation within the GUI.

To the list of all Werks