Lucene search

CheckmkCVELIST:CVE-2024-28832

HistoryJun 25, 2024 - 11:45 a.m.

CVE-2024-28832 XSS in Crash Report Page

2024-06-2511:45:33

CWE-80

Checkmk

www.cve.org

xss

checkmk

crash report

4.8 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

0.0004 Low

EPSS

Percentile

9.1%

JSON

Stored XSS in the Crash Report page in Checkmk before versions 2.3.0p7, 2.2.0p28, 2.1.0p45, and 2.0.0 (EOL) allows users with permission to change Global Settings to execute arbitrary scripts by injecting HTML elements into the Crash Report URL in the Global Settings.

CNA Affected

[
  {
    "defaultStatus": "unaffected",
    "product": "Checkmk",
    "vendor": "Checkmk GmbH",
    "versions": [
      {
        "lessThan": "2.3.0p7",
        "status": "affected",
        "version": "2.3.0",
        "versionType": "semver"
      },
      {
        "lessThan": "2.2.0p28",
        "status": "affected",
        "version": "2.2.0",
        "versionType": "semver"
      },
      {
        "lessThan": "2.1.0p45",
        "status": "affected",
        "version": "2.1.0",
        "versionType": "semver"
      },
      {
        "lessThanOrEqual": "2.0.0p39",
        "status": "affected",
        "version": "2.0.0",
        "versionType": "semver"
      }
    ]
  }
]

References

checkmk.com/werk/17024