CVE-2021-40906

Name of the Vulnerable Software and Affected Versions CheckMK Raw Edition software versions 1.5.0 through 1.6.0

Description The issue allows for Reflected XSS, enabling an attacker to inject malicious HTML content, including JavaScript or other client-side scripts, into a user's browser. This could lead to the opening of a backdoor on the device or the theft of session cookies from previously authenticated users, potentially through a man-in-the-middle attack. The exploitation requires access to a web service resource without the need for authentication.

Recommendations For CheckMK Raw Edition software versions 1.5.0 through 1.6.0, consider implementing input sanitization for the vulnerable web service parameter to prevent Reflected XSS attacks. As a temporary workaround, restrict access to the unauthenticated zone of the web service to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.