ID: 13193
Title: XSS in report editing
Component: Reporting & Availability
Level: 1
Class: Security fix
Version: 2.1.0i1
It was possible to Inject HTML code in various Content elments. This could also be used in shared reports.
CVSS: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H 9.0
Affected Versions: all below
Workarounds: Disallow users to customize reports (Set 'General Permissions' > 'Customize reports and use them' to no)
Exploit detections: Check `var/check_mk/web/*/user_reports.mk` for html specialchars.
ID: 13215
Title: real-time checks: improved encryption
Component: Checks & agents
Level: 1
Class: Security fix
Version: 2.1.0i1
The Linux agent now uses some advantages of current (>= 1.1.1)
OpenSSL versions and employs a safer encryption algorithm for
the real-time UDP packets on applicable systems.