CVE-2017-11507

Name of the Vulnerable Software and Affected Versions Check MK versions 1.2.8x prior to 1.2.8p25 Check MK versions 1.4.0x prior to 1.4.0p9

Description A cross site scripting (XSS) issue exists, allowing an unauthenticated attacker to inject arbitrary HTML or JavaScript via the output format parameter and the username parameter of failed HTTP basic authentication attempts. This is possible because the username parameter is returned unencoded in an internal server error page.

Recommendations For Check MK versions 1.2.8x prior to 1.2.8p25, update to version 1.2.8p25 or later. For Check MK versions 1.4.0x prior to 1.4.0p9, update to version 1.4.0p9 or later. As a temporary workaround, consider restricting access to the output format parameter and ensuring proper encoding of the username parameter in error pages to minimize the risk of exploitation.