CVE-2022-24566
Publication date 24 February 2022
Last updated 25 August 2025
Ubuntu priority
Description
In Checkmk <=2.0.0p19 fixed in 2.0.0p20 and Checkmk <=1.6.0p27 fixed in 1.6.0p28, the title of a Predefined condition is not properly escaped when shown as condition, which can result in Cross Site Scripting (XSS).
Status
| Package | Ubuntu Release | Status |
|---|---|---|
| check-mk | 18.04 LTS bionic |
Not affected
|
| 16.04 LTS xenial |
Not affected
|
|
| 14.04 LTS trusty | Ignored end of standard support |
Notes
0xnishit
fix 2.0.0p20: https://github.com/tribe29/checkmk/commit/2a81ef35050e66bfea4ed2c9084b6e4bb360e868 fix 1.6.0p28: https://github.com/tribe29/checkmk/commit/8c35508f26ab3033a7a511295cef4b319af48923
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score |
5.4 · Medium
|
| Attack vector | Network |
| Attack complexity | Low |
| Privileges required | Low |
| User interaction | Required |
| Scope | Changed |
| Confidentiality | Low |
| Integrity impact | Low |
| Availability impact | None |
| Vector | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N |