Werk #2389: Fixed XSS using the _body_class parameter of views

Component User interface
Title Fixed XSS using the _body_class parameter of views
Date Jun 30, 2015
Checkmk Version 1.2.7i3
Level Trivial Change
Class Security Fix
Compatibility Compatible - no manual interaction needed
Affected Editions
1.2.7i3 Checkmk Raw (CRE), Checkmk Enterprise (CEE), Checkmk MSP (CME)

It was possible to use the _body_class parameter of the status GUI views to inject HTML/Javascript code into the pages.

The _body_class parameter, which was only used for internal purposes, has totally been removed now.

To the list of all Werks