[Pkg-nagios-devel] Bug#865497: check-mk: CVE-2017-9781: reflected XSS in webapi.py
Salvatore Bonaccorso
carnil at debian.org
Thu Jun 22 03:16:03 UTC 2017
Source: check-mk
Version: 1.2.8p16-1
Severity: grave
Tags: patch upstream security
Justification: user security hole
Hi,
the following vulnerability was published for check-mk.
CVE-2017-9781[0]:
| A cross site scripting (XSS) vulnerability exists in Check_MK versions
| 1.4.0x prior to 1.4.0p6, allowing an unauthenticated remote attacker to
| inject arbitrary HTML or JavaScript via the _username parameter when
| attempting authentication to webapi.py, which is returned unencoded
| with content type text/html.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2017-9781
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9781
Regards,
Salvatore
More information about the Pkg-nagios-devel
mailing list