Checkmk Werk 13193: XSS in report editing

24 Sep 2021

ID:          13193
Title:       XSS in report editing
Component:   Reporting & Availability
Level:       1
Class:       Security fix
Version:     2.1.0i1

It was possible to Inject HTML code in various Content elments. This could also be used in
shared reports.

CVSS: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H 9.0
Affected Versions: all below
Workarounds: Disallow users to customize reports (Set 'General Permissions'
&gt; 'Customize reports and use them' to no)
Exploit detections: Check `var/check_mk/web/*/user_reports.mk` for html specialchars.

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

Checkmk Werk 13193: XSS in report editing