[//]: # (werk v2)
# Fix XSS in Crash Report Page
key | value
---------- | ---
date | 2024-06-06T13:17:36+00:00
version | 2.4.0b1
class | security
edition | cre
component | wato
level | 1
compatible | yes
Prior to this Werk, it was possible to inject HTML elements into Crash report
URL in the Global settings, leading to an `XSS` vulnerability in the Crash reports page.
This vulnerability was identified during a commissioned penetration test conducted by PS
Positive Security GmbH.
*Affected Versions*:
* 2.3.0
* 2.2.0
* 2.1.0
* 2.0.0 (EOL)
*Indicators of Compromise*:
Check the crash report HTTP URL in the Global settings for suspicious HTML elements.
*Vulnerability Management*:
We have rated the issue with a CVSS Score of 4.8 Medium with the following CVSS vector:
`CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N`.
and assigned `CVE-2024-28832`.