CVE-2022-24566
Published: 24 February 2022
In Checkmk <=2.0.0p19 fixed in 2.0.0p20 and Checkmk <=1.6.0p27 fixed in 1.6.0p28, the title of a Predefined condition is not properly escaped when shown as condition, which can result in Cross Site Scripting (XSS).
Notes
Author | Note |
---|---|
0xnishit | fix 2.0.0p20: https://github.com/tribe29/checkmk/commit/2a81ef35050e66bfea4ed2c9084b6e4bb360e868 fix 1.6.0p28: https://github.com/tribe29/checkmk/commit/8c35508f26ab3033a7a511295cef4b319af48923 |
Priority
Severity score breakdown
Parameter | Value |
---|---|
Base score | 5.4 |
Attack vector | Network |
Attack complexity | Low |
Privileges required | Low |
User interaction | Required |
Scope | Changed |
Confidentiality | Low |
Integrity impact | Low |
Availability impact | None |
Vector | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N |