Branch: refs/heads/2.3.0
Home:
https://github.com/Checkmk/checkmk
Commit: 8ca7898d84451646596b6c9c6da80f019c5554d0
https://github.com/Checkmk/checkmk/commit/8ca7898d84451646596b6c9c6da80f019…
Author: Mehrdad Shahidi <mohammadmehrdad.shahidi(a)checkmk.com>
Date: 2024-08-26 (Mon, 26 Aug 2024)
Changed paths:
A .werks/17026.md
Log Message:
-----------
17026 SEC Fix XSS in view page with SLA column
Prior to this werk, the SLA (Service Level Agreement) titles were being rendered as HTML
in the view page without proper escaping, leading to a potential XSS vulnerability.
**Affected Versions**:
* 2.3.0
* 2.2.0
* 2.1.0
* 2.0.0 (EOL)
**Indicators of Compromise**:
Cloning the view page of untrusted users who have injected HTML into the SLA titles.
**Vulnerability Management**:
We have rated the issue with a CVSS score of 4.8 (medium) with the following CVSS vector:
`CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N`, and assigned
`CVE-2024-38859`.
Change-Id: If1a560f4e6bbf5f52d9363a636e316653e134a58
To unsubscribe from these emails, change your notification settings at
https://github.com/Checkmk/checkmk/settings/notifications