Checkmk werks level1 September 2018

checkmk-werks-lvl1@lists.checkmk.com

11 participants
145 discussions

Check_MK Werk 6566: Fixed possible XSS on agent update status views

by Lars Michelsen

ID: 6566 Title: Fixed possible XSS on agent update status views Component: agents Level: 1 Class: Security fix Version: 1.6.0i1 Parts of the agent deployment status could be used to trigger XSS injections.

6 years

Check_MK Werk 6567: Fixed possible XSS on activate changes page

by Lars Michelsen

ID: 6567 Title: Fixed possible XSS on activate changes page Component: WATO Level: 1 Class: Security fix Version: 1.6.0i1 It was possible to trigger an XSS issue using the change messages in some situations.

6 years

Check_MK Werk 6568: Fixed possible XSS on custom icon management page

by Lars Michelsen

ID: 6568 Title: Fixed possible XSS on custom icon management page Component: WATO Level: 1 Class: Security fix Version: 1.6.0i1 Using icons with specific names it was possible to trigger an XSS on the icon administration page which only affected admin users.

6 years

Check_MK Werk 6611: Fixed multiple reflected XSS attacks using AJAX calls

by Lars Michelsen

ID: 6611 Title: Fixed multiple reflected XSS attacks using AJAX calls Component: WATO Level: 1 Class: Security fix Version: 1.6.0i1 Several AJAX calls with invalid content type setting could be used to trigger XSS attacks.

6 years

Check_MK Werk 6615: Fixed unauthorized access to master control actions

by Lars Michelsen

ID: 6615 Title: Fixed unauthorized access to master control actions Component: Multisite Level: 2 Class: Security fix Version: 1.6.0i1 As an authenticated guest user it was possible to gain unauthorized access to the master control snapin actions event if it is not possible to open the master control snapin. The vulnerability could be used to disable the complete monitoring or trigger other actions like disabling notifications.

6 years

Check_MK Werk 6614: Fixed reflected XSS affecting agent updater AJAX calls

by Lars Michelsen

ID: 6614 Title: Fixed reflected XSS affecting agent updater AJAX calls Component: agents Level: 1 Class: Security fix Version: 1.6.0i1 When the hostname of a monitored agent is known, this could be used to exploit a reflected XSS vulnerability. Every unauthenticated or authenticated user can issue a request like this. The victim does not have to be authorized on the Check_MK application

6 years

Check_MK Werk 6613: Fixed multiple reflected XSS in affecting sidebar snapin AJAX calls

by Lars Michelsen

ID: 6613 Title: Fixed multiple reflected XSS in affecting sidebar snapin AJAX calls Component: Multisite Level: 1 Class: Security fix Version: 1.6.0i1 Multiple parameters of several snapin AJAX calls were vulnerable to reflected XSS. The speedometer is accessible to all users with at least monitoring privileges.

6 years

Check_MK Werk 6612: Fixed possible reflected XSS using back URLs in view editor

by Lars Michelsen

ID: 6612 Title: Fixed possible reflected XSS using back URLs in view editor Component: Multisite Level: 1 Class: Security fix Version: 1.6.0i1 The parameter back of the following requests is vulnerable to reflected XSS. This vulnerability affects the create/modify view page and requires at least guest privileges. The victim has to click on the back button to trigger the injected code.

6 years

Check_MK Werk 6610: Fixed possible XSS using the dokuwiki snapin

by Lars Michelsen

ID: 6610 Title: Fixed possible XSS using the dokuwiki snapin Component: Multisite Level: 1 Class: Security fix Version: 1.6.0i1 The content of the DokuWiki page named "sidebar" was inserted into the DokuWiki view of Check_MK, but was is not correctly sanitized. This can only be done by an administrator of the page, but every user who can access the DokuWiki view was affected by the vulnerability.

6 years

Check_MK Werk 6621: Add permission to prevent users from editing "Deploy custom files with agent" rule set

by Lars Michelsen

ID: 6621 Title: Add permission to prevent users from editing "Deploy custom files with agent" rule set Component: agents Level: 1 Class: Security fix Version: 1.6.0i1 Using the rule set "Deploy custom files with agent" it is possible to select custom files to be distributed with the agents built using the Agent Bakery. As this is rule set may add custom executable code to the agents it makes sense to be able to control the permission for this more explicitly. If you want to make sure that administrative users can not add those custom files to the agents, you can now use the rule set "Configure custom agent file deployments" to revoke this permission.

6 years

← Newer
1
...
5
6
7
8
9
10
11
...
15
Older →

Jump to page:

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

Checkmk werks level1 September 2018