PT-2024-28240 · Checkmk · Checkmk
Published
2024-08-26
·
Updated
2024-12-03
·
CVE-2024-38859
CVSS v3.1
6.1
Medium
| Vector | AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
Checkmk versions prior to 2.3.0p14
Checkmk versions prior to 2.2.0p33
Checkmk versions prior to 2.1.0p47
Checkmk version 2.0.0
Description
The issue allows malicious users to execute arbitrary scripts by injecting HTML elements into the SLA column title. These scripts could be executed when the view page was cloned by other users.
Recommendations
For Checkmk versions prior to 2.3.0p14, update to version 2.3.0p14 or later.
For Checkmk versions prior to 2.2.0p33, update to version 2.2.0p33 or later.
For Checkmk versions prior to 2.1.0p47, update to version 2.1.0p47 or later.
For Checkmk version 2.0.0, update to a newer version as 2.0.0 is end of life.
As a temporary workaround, consider restricting access to the view page with the SLA column configured until a patch is available.
Fix
XSS
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Checkmk