Lucene search

CheckmkVULNRICHMENT:CVE-2024-28832

HistoryJun 25, 2024 - 11:45 a.m.

CVE-2024-28832 XSS in Crash Report Page

2024-06-2511:45:33

CWE-80

Checkmk

github.com

xss

crash report

checkmk

stored xss

global settings

html elements

injecting

arbitrary scripts

cve-2024-28832

CVSS3

4.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

AI Score

6.4

Confidence

High

SSVC

Exploitation

none

Automatable

Technical Impact

partial

JSON

Stored XSS in the Crash Report page in Checkmk before versions 2.3.0p7, 2.2.0p28, 2.1.0p45, and 2.0.0 (EOL) allows users with permission to change Global Settings to execute arbitrary scripts by injecting HTML elements into the Crash Report URL in the Global Settings.

CNA Affected

[
  {
    "vendor": "Checkmk GmbH",
    "product": "Checkmk",
    "versions": [
      {
        "status": "affected",
        "version": "2.3.0",
        "lessThan": "2.3.0p7",
        "versionType": "semver"
      },
      {
        "status": "affected",
        "version": "2.2.0",
        "lessThan": "2.2.0p28",
        "versionType": "semver"
      },
      {
        "status": "affected",
        "version": "2.1.0",
        "lessThan": "2.1.0p45",
        "versionType": "semver"
      },
      {
        "status": "affected",
        "version": "2.0.0",
        "versionType": "semver",
        "lessThanOrEqual": "2.0.0p39"
      }
    ],
    "defaultStatus": "unaffected"
  }
]

References

checkmk.com/werk/17024