Werk #4902: Monitoring history views: Fixed possible XSS when displaying "plugin output"

Component

User interface

Title

Monitoring history views: Fixed possible XSS when displaying "plugin output"

Date

Jun 27, 2017

Level

Trivial Change

Class

Security Fix

Compatibility

Compatible - no manual interaction needed

Checkmk versions & editions

1.5.0i1 Not yet released	Checkmk Raw (CRE), Checkmk Enterprise (CEE), Checkmk MSP (CME)
1.5.0i1 Not yet released	Checkmk Raw (CRE), Checkmk Enterprise (CEE), Checkmk MSP (CME)
1.5.0i1 Not yet released	Checkmk Raw (CRE), Checkmk Enterprise (CEE), Checkmk MSP (CME)
1.5.0i1 Not yet released	Checkmk Raw (CRE), Checkmk Enterprise (CEE), Checkmk MSP (CME)
1.5.0i1 Not yet released	Checkmk Raw (CRE), Checkmk Enterprise (CEE), Checkmk MSP (CME)
1.5.0i1 Not yet released	Checkmk Raw (CRE), Checkmk Enterprise (CEE), Checkmk MSP (CME)
1.5.0i1	Checkmk Raw (CRE), Checkmk Enterprise (CEE), Checkmk MSP (CME)
1.4.0p8	Checkmk Raw (CRE), Checkmk Enterprise (CEE), Checkmk MSP (CME)
1.2.8p25	Checkmk Raw (CRE), Checkmk Enterprise (CEE), Checkmk MSP (CME)

A possible XSS issue has been fixed in the monitoring history views displaying the plugin output of hosts or services. In case a host or service problem is being acknowledged with HTML code in the acknowlegement comment, this HTML code was not being escaped properly when being displayed in the "plugin output" column.

Only authenticated users that are permitted to acknowledge host or service problems could trigger this issue.

To the list of all Werks