Lucene search

Ubuntu.comUB:CVE-2022-24566

HistoryFeb 24, 2022 - 12:00 a.m.

CVE-2022-24566

2022-02-2400:00:00

ubuntu.com

checkmk

xss vulnerability

cross site scripting

version 2.0.0p19

version 1.6.0p27

CVSS2

3.5

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

SINGLE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:S/C:N/I:P/A:N

CVSS3

5.4

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

EPSS

0.001

Percentile

22.7%

JSON

In Checkmk <=2.0.0p19 fixed in 2.0.0p20 and Checkmk <=1.6.0p27 fixed in
1.6.0p28, the title of a Predefined condition is not properly escaped when
shown as condition, which can result in Cross Site Scripting (XSS).

Notes

Author	Note
0xnishit	fix 2.0.0p20: https://github.com/tribe29/checkmk/commit/2a81ef35050e66bfea4ed2c9084b6e4bb360e868 fix 1.6.0p28: https://github.com/tribe29/checkmk/commit/8c35508f26ab3033a7a511295cef4b319af48923

References

checkmk.com/werk/13717

launchpad.net/bugs/cve/CVE-2022-24566

nvd.nist.gov/vuln/detail/CVE-2022-24566

security-tracker.debian.org/tracker/CVE-2022-24566

www.cve.org/CVERecord?id=CVE-2022-24566

CVSS2

3.5

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

SINGLE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:S/C:N/I:P/A:N

CVSS3

5.4

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

EPSS

0.001

Percentile

22.7%

JSON

Related for UB:CVE-2022-24566