Werk 16618 was adapted. The following is the new Werk, a diff is shown at the end of the
message.
[//]: # (werk v2)
# Fix XSS in graph rendering
key | value
---------- | ---
date | 2024-04-04T14:24:50+00:00
version | 2.3.0b4
class | security
edition | cre
component | wato
level | 1
compatible | yes
Prior to this Werk a service name with html tags lead to cross site scripting in the graph
rendering.
We found this vulnerability internally.
**Affected Versions**:
Only 2.3.0 is affected, older versions are NOT affected.
**Vulnerability Management**:
We have rated the issue with a CVSS Score of 4.6 (Medium) with the following CVSS vector:
`CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N`.
We assigned CVE-2024-2380 to this vulnerability.
**Changes**:
This Werk changes the encoding engine to use our customized JSON encoder.
------------------------------------<diff>-------------------------------------------
[//]: # (werk v2)
# Fix XSS in graph rendering
key | value
---------- | ---
date | 2024-04-04T14:24:50+00:00
- version | 2.3.0b5
? ^
+ version | 2.3.0b4
? ^
class | security
edition | cre
component | wato
level | 1
compatible | yes
Prior to this Werk a service name with html tags lead to cross site scripting in the
graph rendering.
We found this vulnerability internally.
**Affected Versions**:
Only 2.3.0 is affected, older versions are NOT affected.
**Vulnerability Management**:
We have rated the issue with a CVSS Score of 4.6 (Medium) with the following CVSS
vector:
`CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N`.
We assigned CVE-2024-2380 to this vulnerability.
**Changes**:
This Werk changes the encoding engine to use our customized JSON encoder.