CVE-2022-24566
Publication date 24 February 2022
Last updated 24 July 2024
Ubuntu priority
Cvss 3 Severity Score
In Checkmk <=2.0.0p19 fixed in 2.0.0p20 and Checkmk <=1.6.0p27 fixed in 1.6.0p28, the title of a Predefined condition is not properly escaped when shown as condition, which can result in Cross Site Scripting (XSS).
Status
Package | Ubuntu Release | Status |
---|---|---|
check-mk | 18.04 LTS bionic |
Not affected
|
16.04 LTS xenial |
Not affected
|
|
14.04 LTS trusty | Ignored end of standard support |
Notes
0xnishit
fix 2.0.0p20: https://github.com/tribe29/checkmk/commit/2a81ef35050e66bfea4ed2c9084b6e4bb360e868 fix 1.6.0p28: https://github.com/tribe29/checkmk/commit/8c35508f26ab3033a7a511295cef4b319af48923
Severity score breakdown
Parameter | Value |
---|---|
Base score | 5.4 · Medium |
Attack vector | Network |
Attack complexity | Low |
Privileges required | Low |
User interaction | Required |
Scope | Changed |
Confidentiality | Low |
Integrity impact | Low |
Availability impact | None |
Vector | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N |