Edgar Augusto Loyola Torres

**Name of the Vulnerable Software and Affected Versions** CheckMK Raw Edition software versions 1.5.0 through 1.6.0 **Description** The issue allows for Reflected XSS, enabling an attacker to inject malicious HTML content, including JavaScript or other client-side scripts, into a user's browser. This could lead to the opening of a backdoor on the device or the theft of session cookies from previously authenticated users, potentially through a man-in-the-middle attack. The exploitation requires access to a web service resource without the need for authentication. **Recommendations** For CheckMK Raw Edition software versions 1.5.0 through 1.6.0, consider implementing input sanitization for the vulnerable web service parameter to prevent Reflected XSS attacks. As a temporary workaround, restrict access to the unauthenticated zone of the web service to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.