CVE-2017-9781

Name of the Vulnerable Software and Affected Versions Check MK versions 1.4.0x prior to 1.4.0p6

Description A cross site scripting (XSS) issue exists, allowing an unauthenticated remote attacker to inject arbitrary HTML or JavaScript via the username parameter when attempting authentication to "webapi.py", which is returned unencoded with content type text/html.

Recommendations For Check MK versions 1.4.0x prior to 1.4.0p6, update to version 1.4.0p6 or later to resolve the issue. As a temporary workaround, consider restricting access to the "webapi.py" endpoint or avoiding the use of the username parameter until the issue is resolved.