Checkmk werks level1

checkmk-werks-lvl1@lists.checkmk.com

1 participants
15984 discussions

Check_MK Werk 6614: Fixed reflected XSS affecting agent updater AJAX calls

by Lars Michelsen

ID: 6614 Title: Fixed reflected XSS affecting agent updater AJAX calls Component: agents Level: 1 Class: Security fix Version: 1.6.0i1 When the hostname of a monitored agent is known, this could be used to exploit a reflected XSS vulnerability. Every unauthenticated or authenticated user can issue a request like this. The victim does not have to be authorized on the Check_MK application

6 years

Check_MK Werk 6613: Fixed multiple reflected XSS in affecting sidebar snapin AJAX calls

by Lars Michelsen

ID: 6613 Title: Fixed multiple reflected XSS in affecting sidebar snapin AJAX calls Component: Multisite Level: 1 Class: Security fix Version: 1.6.0i1 Multiple parameters of several snapin AJAX calls were vulnerable to reflected XSS. The speedometer is accessible to all users with at least monitoring privileges.

6 years

Check_MK Werk 6612: Fixed possible reflected XSS using back URLs in view editor

by Lars Michelsen

ID: 6612 Title: Fixed possible reflected XSS using back URLs in view editor Component: Multisite Level: 1 Class: Security fix Version: 1.6.0i1 The parameter back of the following requests is vulnerable to reflected XSS. This vulnerability affects the create/modify view page and requires at least guest privileges. The victim has to click on the back button to trigger the injected code.

6 years

Check_MK Werk 6610: Fixed possible XSS using the dokuwiki snapin

by Lars Michelsen

ID: 6610 Title: Fixed possible XSS using the dokuwiki snapin Component: Multisite Level: 1 Class: Security fix Version: 1.6.0i1 The content of the DokuWiki page named "sidebar" was inserted into the DokuWiki view of Check_MK, but was is not correctly sanitized. This can only be done by an administrator of the page, but every user who can access the DokuWiki view was affected by the vulnerability.

6 years

Check_MK Werk 6621: Add permission to prevent users from editing "Deploy custom files with agent" rule set

by Lars Michelsen

ID: 6621 Title: Add permission to prevent users from editing "Deploy custom files with agent" rule set Component: agents Level: 1 Class: Security fix Version: 1.6.0i1 Using the rule set "Deploy custom files with agent" it is possible to select custom files to be distributed with the agents built using the Agent Bakery. As this is rule set may add custom executable code to the agents it makes sense to be able to control the permission for this more explicitly. If you want to make sure that administrative users can not add those custom files to the agents, you can now use the rule set "Configure custom agent file deployments" to revoke this permission.

6 years

Check_MK Werk 6622: Fixed possible open redirect on login page

by Lars Michelsen

ID: 6622 Title: Fixed possible open redirect on login page Component: Multisite Level: 1 Class: Security fix Version: 1.6.0i1 It was possible to redirect an user to external websites through manipulating GET parameters. To exploit this vulnerability, an attacker needs to trick a user into following a crafted URL. The attack only works if the user does not notice that he is redirected to a different URL.

6 years

Check_MK Werk 6619: Fixed missing CSRF protection for master control AJAX calls

by Lars Michelsen

ID: 6619 Title: Fixed missing CSRF protection for master control AJAX calls Component: Multisite Level: 1 Class: Security fix Version: 1.6.0i1 The AJAX calls used by the master control snapin were not correctly using CSRF tokens to protect logged in users against malicious links that could trigger actions. CMK-963

6 years

Check_MK Werk 6620: Fixed missing CSRF protection for site status AJAX calls

by Lars Michelsen

ID: 6620 Title: Fixed missing CSRF protection for site status AJAX calls Component: Multisite Level: 1 Class: Security fix Version: 1.6.0i1 The AJAX calls used by the site status snapin were not correctly using CSRF tokens to protect logged in users against malicious links that could trigger actions.

6 years

Check_MK Werk 6618: Fixed missing CSRF protection for host diagnostic AJAX calls

by Lars Michelsen

ID: 6618 Title: Fixed missing CSRF protection for host diagnostic AJAX calls Component: WATO Level: 1 Class: Security fix Version: 1.6.0i1 The AJAX calls used by the host diagnostic page were not correctly using CSRF tokens to protect logged in users against malicious links that could trigger actions.

6 years

Check_MK Werk 6599: HW/SW Inventory: Only count the real entries

by Simon Betz

ID: 6599 Title: HW/SW Inventory: Only count the real entries Component: HW/SW Inventory Level: 1 Class: Bug fix Version: 1.6.0i1 The active check {{Check_MK HW/SW Inventory}}, the inventory history and the shell commands <tt>cmk -vi</tt> and <tt>cmk -vii</tt> show the number of found entries. This number also includes the amount of nodes. Example: <tt>Hardware > System > Family: Thinkpad</tt> gives 3 entries. This may be confusing. Now only the real entries are counted. Example: <tt>Hardware > System > Family: Thinkpad</tt> gives 1 entry.

6 years

Jump to page:

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

Checkmk werks level1