A cross site scripting (XSS) vulnerability exists in Check_MK versions 1.4.0x prior to 1.4.0p6, allowing an unauthenticated remote attacker to inject arbitrary HTML or JavaScript via the _username parameter when attempting authentication to webapi.py, which is returned unencoded with content type text/html.
References
Link | Resource |
---|---|
http://git.mathias-kettner.de/git/?p=check_mk.git%3Ba=blob%3Bf=.werks/4757%3Bhb=c248f0b6ff7b15ced9f07a3df8a80fad656ea5b1 | |
https://www.tenable.com/security/research/tra-2017-21 | Exploit Third Party Advisory |
History
No history.
MITRE Information
Status: PUBLISHED
Assigner: mitre
Published: 2017-06-21T18:00:00
Updated: 2017-11-03T09:57:01
Reserved: 2017-06-21T00:00:00
Link: CVE-2017-9781
JSON object: View
NVD Information
Status : Modified
Published: 2017-06-21T18:29:00.387
Modified: 2023-11-07T02:50:52.100
Link: CVE-2017-9781
JSON object: View
Redhat Information
No data.
CWE