CVE-2017-9781
Publication date 21 June 2017
Last updated 24 July 2024
Ubuntu priority
Cvss 3 Severity Score
A cross site scripting (XSS) vulnerability exists in Check_MK versions 1.4.0x prior to 1.4.0p6, allowing an unauthenticated remote attacker to inject arbitrary HTML or JavaScript via the _username parameter when attempting authentication to webapi.py, which is returned unencoded with content type text/html.
Status
Package | Ubuntu Release | Status |
---|---|---|
check-mk | 22.04 LTS jammy | Not in release |
20.04 LTS focal | Not in release | |
18.04 LTS bionic |
Fixed 1.2.8p16-1ubuntu0.2
|
|
16.04 LTS xenial |
Fixed 1.2.6p12-1ubuntu0.16.04.1+esm1
|
|
14.04 LTS trusty | Not in release |
Get expanded security coverage with Ubuntu Pro
Reduce your average CVE exposure time from 98 days to 1 day with expanded CVE patching, ten-years security maintenance and optional support for the full stack of open-source applications. Free for personal use.
Get Ubuntu ProNotes
0xnishit
fix 1.4.0p26: https://github.com/tribe29/checkmk/commit/55b67fe59fdf06d6ceaf0d3ae53f73dd4cdf4161 fix 1.2.8p27: https://github.com/tribe29/checkmk/commit/444b30ccd955467da7a88a5321fc54b042500292
Severity score breakdown
Parameter | Value |
---|---|
Base score | 6.1 · Medium |
Attack vector | Network |
Attack complexity | Low |
Privileges required | None |
User interaction | Required |
Scope | Changed |
Confidentiality | Low |
Integrity impact | Low |
Availability impact | None |
Vector | CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |
References
Related Ubuntu Security Notices (USN)
- USN-5527-1
- Checkmk vulnerabilities
- 20 July 2022
- USN-5527-2
- Checkmk vulnerabilities
- 20 July 2022