Werk #6423: Fixed possible XSS in views with some filters

Name: checkmk
Rating: 4.7 (114 reviews)

Component

User interface

Title

Fixed possible XSS in views with some filters

Date

Aug 2, 2018

Level

Trivial Change

Class

Bug Fix

Compatibility

Compatible - no manual interaction needed

Checkmk versions & editions

1.6.0b1	Checkmk Community, Checkmk Pro, Checkmk Ultimate MT
1.5.0p1	Checkmk Community, Checkmk Pro, Checkmk Ultimate MT
1.4.0p35	Checkmk Community, Checkmk Pro, Checkmk Ultimate MT

It was possible to inject some specific HTML tags (like the a-tag) into the title of views which could be used to make users click on it to execute some arbitrary javascript code.

To the list of all Werks