Explore the latest product updates and best practices at our hybrid Checkmk Conference #12 from June 16-18, 2026 – Register here
back to website

Werk #4757: Fixed possible reflected XSS in webapi.py

Component User interface
Title Fixed possible reflected XSS in webapi.py
Date Jun 14, 2017
Level Prominent Change
Class Security Fix
Compatibility Compatible - no manual interaction needed
Checkmk versions & editions
1.5.0i1 Checkmk Community, Checkmk Pro, Checkmk Ultimate MT
1.4.0p6 Checkmk Community, Checkmk Pro, Checkmk Ultimate MT
1.2.8p27 Checkmk Community, Checkmk Pro, Checkmk Ultimate MT

In the Check_MK 1.4 branch URLs like this could be used for a reflected XSS attack:

http://<test host>/<site>/check_mk/webapi.py?_username=<script>alert("XSS")</script>&_secret=AnythingHere

The error message was interpreted as HTML while it should be a plain text error message. This has been fixed now.

To the list of all Werks