Werk #4757: Fixed possible reflected XSS in webapi.py
Component | User interface | ||||||
Title | Fixed possible reflected XSS in webapi.py | ||||||
Date | Jun 14, 2017 | ||||||
Level | Prominent Change | ||||||
Class | Security Fix | ||||||
Compatibility | Compatible - no manual interaction needed | ||||||
Checkmk versions & editions |
|
In the Check_MK 1.4 branch URLs like this could be used for a reflected XSS attack:
http://<test host>/<site>/check_mk/webapi.py?_username=<script>alert("XSS")</script>&_secret=AnythingHere
The error message was interpreted as HTML while it should be a plain text error message. This has been fixed now.