Branch: refs/heads/2.1.0
Home:
https://github.com/Checkmk/checkmk
Commit: 1d8ba09e0b00c5d9d31e25bba48269ab281047ec
https://github.com/Checkmk/checkmk/commit/1d8ba09e0b00c5d9d31e25bba48269ab2…
Author: Mehrdad Shahidi <mohammadmehrdad.shahidi(a)checkmk.com>
Date: 2024-08-26 (Mon, 26 Aug 2024)
Changed paths:
A .werks/17026
Log Message:
-----------
17026 SEC Fix XSS in view page with SLA column
Prior to this werk, the SLA (Service Level Agreement) titles were being rendered as HTML
in the view page without proper escaping, leading to a potential XSS vulnerability.
**Affected Versions**:
* 2.3.0
* 2.2.0
* 2.1.0
* 2.0.0 (EOL)
**Indicators of Compromise**:
Cloning the view page of untrusted users who have injected HTML into the SLA titles.
**Vulnerability Management**:
We have rated the issue with a CVSS score of 4.8 (medium) with the following CVSS vector:
`CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N`, and assigned
`CVE-2024-38859`.
Change-Id: If1a560f4e6bbf5f52d9363a636e316653e134a58
To unsubscribe from these emails, change your notification settings at
https://github.com/Checkmk/checkmk/settings/notifications