[Pkg-nagios-devel] Bug#865497: check-mk: CVE-2017-9781: reflected XSS in webapi.py

Salvatore Bonaccorso carnil at debian.org
Thu Jun 22 03:16:03 UTC 2017

Source: check-mk
Version: 1.2.8p16-1
Severity: grave
Tags: patch upstream security
Justification: user security hole


the following vulnerability was published for check-mk.

| A cross site scripting (XSS) vulnerability exists in Check_MK versions
| 1.4.0x prior to 1.4.0p6, allowing an unauthenticated remote attacker to
| inject arbitrary HTML or JavaScript via the _username parameter when
| attempting authentication to webapi.py, which is returned unencoded
| with content type text/html.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2017-9781


More information about the Pkg-nagios-devel mailing list