Branch: refs/heads/1.6.0 Home: https://github.com/tribe29/checkmk Commit: 014847b95ce463a46e0e04e25dd709fe1481ec75 https://github.com/tribe29/checkmk/commit/014847b95ce463a46e0e04e25dd709fe1… Author: Maximilian Wirtz <maximilian.wirtz(a)tribe29.com> Date: 2021-09-24 (Fri, 24 Sep 2021) Changed paths: A .werks/13193 Log Message: ----------- 13193 SEC XSS in report editing It was possible to Inject HTML code in various Content elments. This could also be used in shared reports. CVSS: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H 9.0 Affected Versions: all below Workarounds: Disallow users to customize reports (Set 'General Permissions' > 'Customize reports and use them' to no) Exploit detections: Check `var/check_mk/web/*/user_reports.mk` for html specialchars. FEED-6407 Change-Id: I45be0dc7ad4e4932766f2f018a225afffdd52bef