ID: 4757
Title: Fixed possible reflected XSS in webapi.py
Component: Multisite
Level: 2
Class: Security fix
Version: 1.5.0i1
In the Check_MK 1.4 branch URLs like this could be used for a
reflected XSS attack:
<tt>http://<test
host>/<site>/check_mk/webapi.py?_username=<script>alert("XSS")</script>&_secret=AnythingHere
The error message was interpreted as HTML while it should be a
plain text error message. This has been fixed now.
Show replies by date