Werk #5654: Fixed XSS on the site management page
Komponente | User interface |
Titel | Fixed XSS on the site management page |
Datum | 24.01.2018 |
Checkmk Edition | Checkmk Raw (CRE) |
Checkmk-Version | 1.4.0p24 1.5.0i3 |
Level | Kleine Änderung |
Klasse | Sicherheitsfix |
Kompatibilität | Kompatibel - benötigt kein manuelles Eingreifen |
When using the WATO configuration it was possible to create a site on the distributed monitoring page which uses with javascript code in it's alias. When this site was later displayed in the site tables, the javascript code could be executed in the browsers context of the user viewing the table.
The insertion of the javascript code is only possible for authenticated users with the permission to configure Check_MK sites.