CVE-2014-5338

Published: 22 August 2014

Multiple cross-site scripting (XSS) vulnerabilities in the multisite component in Check_MK before 1.2.4p4 and 1.2.5 before 1.2.5i4 allow remote authenticated users to inject arbitrary web script or HTML via unspecified vectors to the (1) render_status_icons function in htmllib.py or (2) ajax_action function in actions.py.

Notes

Author	Note
jdstrand	per Debian, code not present in 2.3

Priority

Status

Package	Release	Status
check-mk Launchpad, Ubuntu, Debian	lucid	Does not exist
	precise	Not vulnerable (code-not-present)
	trusty	Does not exist (trusty was not-affected [code-not-present])
	upstream	Needs triage

References

http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=4b71709456bfc2ffc27a3583f13cc2ac0e726709
http://packetstormsecurity.com/files/127941/Deutsche-Telekom-CERT-Advisory-DTC-A-20140820-001.html
http://mathias-kettner.de/check_mk_werks.php?werk_id=0982&HTML=yes
https://www.cve.org/CVERecord?id=CVE-2014-5338
NVD
Launchpad
Debian

Join the discussion

Ubuntu security updates mailing list
Security announcements mailing list

Canonical is offering Expanded Security Maintenance

Canonical is offering Ubuntu Expanded Security Maintenance (ESM) for security fixes and essential packages.

Find out more about ESM ›