Improper neutralization of HTML-encoded characters in the URL validation function in Checkmk <2.5.0p5, <2.4.0p31, <2.3.0p48, and all 2.2.0 versions allows an authenticated user to bypass URL validation and inject malicious URLs such as javascript: URIs, resulting in cross-site scripting when another user interacts with the crafted link.
{
"binaries": [
{
"binary_name": "check-mk-agent",
"binary_version": "1.2.6p12-1ubuntu0.16.04.1+esm1"
},
{
"binary_name": "check-mk-agent-logwatch",
"binary_version": "1.2.6p12-1ubuntu0.16.04.1+esm1"
},
{
"binary_name": "check-mk-config-icinga",
"binary_version": "1.2.6p12-1ubuntu0.16.04.1+esm1"
},
{
"binary_name": "check-mk-config-nagios3",
"binary_version": "1.2.6p12-1ubuntu0.16.04.1+esm1"
},
{
"binary_name": "check-mk-livestatus",
"binary_version": "1.2.6p12-1ubuntu0.16.04.1+esm1"
},
{
"binary_name": "check-mk-multisite",
"binary_version": "1.2.6p12-1ubuntu0.16.04.1+esm1"
},
{
"binary_name": "check-mk-server",
"binary_version": "1.2.6p12-1ubuntu0.16.04.1+esm1"
}
]
}
{
"binaries": [
{
"binary_name": "check-mk-agent",
"binary_version": "1.2.8p16-1ubuntu0.2"
},
{
"binary_name": "check-mk-agent-logwatch",
"binary_version": "1.2.8p16-1ubuntu0.2"
},
{
"binary_name": "check-mk-config-icinga",
"binary_version": "1.2.8p16-1ubuntu0.2"
},
{
"binary_name": "check-mk-livestatus",
"binary_version": "1.2.8p16-1ubuntu0.2"
},
{
"binary_name": "check-mk-multisite",
"binary_version": "1.2.8p16-1ubuntu0.2"
},
{
"binary_name": "check-mk-server",
"binary_version": "1.2.8p16-1ubuntu0.2"
}
]
}