ID: 6614
Title: Fixed reflected XSS affecting agent updater AJAX calls
Component: agents
Level: 1
Class: Security fix
Version: 1.6.0i1
When the hostname of a monitored agent is known, this could be used to exploit
a reflected XSS vulnerability. Every unauthenticated or authenticated user can
issue a request like this. The victim does not have to be authorized on the
Check_MK application
ID: 6613
Title: Fixed multiple reflected XSS in affecting sidebar snapin AJAX calls
Component: Multisite
Level: 1
Class: Security fix
Version: 1.6.0i1
Multiple parameters of several snapin AJAX calls were vulnerable to reflected
XSS. The speedometer is accessible to all users with at least monitoring
privileges.
ID: 6612
Title: Fixed possible reflected XSS using back URLs in view editor
Component: Multisite
Level: 1
Class: Security fix
Version: 1.6.0i1
The parameter back of the following requests is vulnerable to reflected XSS.
This vulnerability affects the create/modify view page and requires at least
guest privileges. The victim has to click on the back button to trigger the
injected code.
ID: 6610
Title: Fixed possible XSS using the dokuwiki snapin
Component: Multisite
Level: 1
Class: Security fix
Version: 1.6.0i1
The content of the DokuWiki page named "sidebar" was inserted into the DokuWiki
view of Check_MK, but was is not correctly sanitized. This can only be done by
an administrator of the page, but every user who can access the DokuWiki view
was affected by the vulnerability.
ID: 6621
Title: Add permission to prevent users from editing "Deploy custom files with agent" rule set
Component: agents
Level: 1
Class: Security fix
Version: 1.6.0i1
Using the rule set "Deploy custom files with agent" it is possible to select custom files
to be distributed with the agents built using the Agent Bakery. As this is rule set may
add custom executable code to the agents it makes sense to be able to control the permission
for this more explicitly.
If you want to make sure that administrative users can not add those custom files to the
agents, you can now use the rule set "Configure custom agent file deployments" to revoke
this permission.
ID: 6622
Title: Fixed possible open redirect on login page
Component: Multisite
Level: 1
Class: Security fix
Version: 1.6.0i1
It was possible to redirect an user to external websites through manipulating
GET parameters. To exploit this vulnerability, an attacker needs to trick a
user into following a crafted URL. The attack only works if the user does not
notice that he is redirected to a different URL.
ID: 6619
Title: Fixed missing CSRF protection for master control AJAX calls
Component: Multisite
Level: 1
Class: Security fix
Version: 1.6.0i1
The AJAX calls used by the master control snapin were not correctly using
CSRF tokens to protect logged in users against malicious links that could
trigger actions.
CMK-963
ID: 6620
Title: Fixed missing CSRF protection for site status AJAX calls
Component: Multisite
Level: 1
Class: Security fix
Version: 1.6.0i1
The AJAX calls used by the site status snapin were not correctly using
CSRF tokens to protect logged in users against malicious links that could
trigger actions.
ID: 6618
Title: Fixed missing CSRF protection for host diagnostic AJAX calls
Component: WATO
Level: 1
Class: Security fix
Version: 1.6.0i1
The AJAX calls used by the host diagnostic page were not correctly using
CSRF tokens to protect logged in users against malicious links that could
trigger actions.
ID: 6599
Title: HW/SW Inventory: Only count the real entries
Component: HW/SW Inventory
Level: 1
Class: Bug fix
Version: 1.6.0i1
The active check {{Check_MK HW/SW Inventory}}, the
inventory history and the shell commands <tt>cmk -vi</tt>
and <tt>cmk -vii</tt> show the number of found entries.
This number also includes the amount of nodes. Example:
<tt>Hardware > System > Family: Thinkpad</tt>
gives 3 entries. This may be confusing.
Now only the real entries are counted. Example:
<tt>Hardware > System > Family: Thinkpad</tt>
gives 1 entry.