ID: 6566
Title: Fixed possible XSS on agent update status views
Component: agents
Level: 1
Class: Security fix
Version: 1.6.0i1
Parts of the agent deployment status could be used to trigger XSS injections.
ID: 6567
Title: Fixed possible XSS on activate changes page
Component: WATO
Level: 1
Class: Security fix
Version: 1.6.0i1
It was possible to trigger an XSS issue using the change messages
in some situations.
ID: 6568
Title: Fixed possible XSS on custom icon management page
Component: WATO
Level: 1
Class: Security fix
Version: 1.6.0i1
Using icons with specific names it was possible to trigger an XSS
on the icon administration page which only affected admin users.
ID: 6611
Title: Fixed multiple reflected XSS attacks using AJAX calls
Component: WATO
Level: 1
Class: Security fix
Version: 1.6.0i1
Several AJAX calls with invalid content type setting could be used
to trigger XSS attacks.
ID: 6615
Title: Fixed unauthorized access to master control actions
Component: Multisite
Level: 2
Class: Security fix
Version: 1.6.0i1
As an authenticated guest user it was possible to gain unauthorized access to
the master control snapin actions event if it is not possible to open the
master control snapin. The vulnerability could be used to disable the complete
monitoring or trigger other actions like disabling notifications.
ID: 6614
Title: Fixed reflected XSS affecting agent updater AJAX calls
Component: agents
Level: 1
Class: Security fix
Version: 1.6.0i1
When the hostname of a monitored agent is known, this could be used to exploit
a reflected XSS vulnerability. Every unauthenticated or authenticated user can
issue a request like this. The victim does not have to be authorized on the
Check_MK application
ID: 6613
Title: Fixed multiple reflected XSS in affecting sidebar snapin AJAX calls
Component: Multisite
Level: 1
Class: Security fix
Version: 1.6.0i1
Multiple parameters of several snapin AJAX calls were vulnerable to reflected
XSS. The speedometer is accessible to all users with at least monitoring
privileges.
ID: 6612
Title: Fixed possible reflected XSS using back URLs in view editor
Component: Multisite
Level: 1
Class: Security fix
Version: 1.6.0i1
The parameter back of the following requests is vulnerable to reflected XSS.
This vulnerability affects the create/modify view page and requires at least
guest privileges. The victim has to click on the back button to trigger the
injected code.
ID: 6610
Title: Fixed possible XSS using the dokuwiki snapin
Component: Multisite
Level: 1
Class: Security fix
Version: 1.6.0i1
The content of the DokuWiki page named "sidebar" was inserted into the DokuWiki
view of Check_MK, but was is not correctly sanitized. This can only be done by
an administrator of the page, but every user who can access the DokuWiki view
was affected by the vulnerability.
ID: 6621
Title: Add permission to prevent users from editing "Deploy custom files with agent" rule set
Component: agents
Level: 1
Class: Security fix
Version: 1.6.0i1
Using the rule set "Deploy custom files with agent" it is possible to select custom files
to be distributed with the agents built using the Agent Bakery. As this is rule set may
add custom executable code to the agents it makes sense to be able to control the permission
for this more explicitly.
If you want to make sure that administrative users can not add those custom files to the
agents, you can now use the rule set "Configure custom agent file deployments" to revoke
this permission.