Source: check-mk Version: 1.2.8p16-1 Severity: grave Tags: patch upstream security Justification: user security hole
Hi, the following vulnerability was published for check-mk. CVE-2017-9781[0]: | A cross site scripting (XSS) vulnerability exists in Check_MK versions | 1.4.0x prior to 1.4.0p6, allowing an unauthenticated remote attacker to | inject arbitrary HTML or JavaScript via the _username parameter when | attempting authentication to webapi.py, which is returned unencoded | with content type text/html. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2017-9781 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9781 Regards, Salvatore
