Werk #5654: Fixed XSS on the site management page

Component User interface
Title Fixed XSS on the site management page
Date Jan 24, 2018
Checkmk Edition Checkmk Raw (CRE)
Checkmk Version 1.4.0p24 1.5.0i3
Level Trivial Change
Class Security Fix
Compatibility Compatible - no manual interaction needed

When using the WATO configuration it was possible to create a site on the distributed monitoring page which uses with javascript code in it's alias. When this site was later displayed in the site tables, the javascript code could be executed in the browsers context of the user viewing the table.

The insertion of the javascript code is only possible for authenticated users with the permission to configure Check_MK sites.

To the list of all Werks