Werk #6614: Fixed reflected XSS affecting agent updater AJAX calls

Component

Agent bakery

Title

Fixed reflected XSS affecting agent updater AJAX calls

Date

Sep 14, 2018

Level

Trivial Change

Class

Security Fix

Compatibility

Compatible - no manual interaction needed

Checkmk versions & editions

1.6.0b1 Not yet released	Checkmk Enterprise (CEE), Checkmk MSP (CME)
1.6.0b1 Not yet released	Checkmk Enterprise (CEE), Checkmk MSP (CME)
1.6.0b1 Not yet released	Checkmk Enterprise (CEE), Checkmk MSP (CME)
1.6.0b1 Not yet released	Checkmk Enterprise (CEE), Checkmk MSP (CME)
1.6.0b1 Not yet released	Checkmk Enterprise (CEE), Checkmk MSP (CME)
1.6.0b1	Checkmk Enterprise (CEE), Checkmk MSP (CME)
1.5.0p5	Checkmk Enterprise (CEE), Checkmk MSP (CME)
1.4.0p36	Checkmk Enterprise (CEE), Checkmk MSP (CME)

When the hostname of a monitored agent is known, this could be used to exploit a reflected XSS vulnerability. Every unauthenticated or authenticated user can issue a request like this. The victim does not have to be authorized on the Check_MK application

To the list of all Werks