CVE-2017-9781

Summary

CVE	CVE-2017-9781
State	PUBLIC
Assigner	[email protected]
Source Priority	CVE Program / NVD first with legacy fallback
Published	2017-06-21 18:29:00 UTC
Updated	2023-11-07 02:50:00 UTC
Description	A cross site scripting (XSS) vulnerability exists in Check_MK versions 1.4.0x prior to 1.4.0p6, allowing an unauthenticated remote attacker to inject arbitrary HTML or JavaScript via the _username parameter when attempting authentication to webapi.py, which is returned unencoded with content type text/html.

Risk And Classification

Problem Types: CWE-79

NVD Known Affected Configurations (CPE 2.3)

Type	Vendor	Product	Version	Update	Edition	Language
Application	Check Mk Project	Check Mk	1.4.0	All	All	All
Application	Check Mk Project	Check Mk	1.4.0	p1	All	All
Application	Check Mk Project	Check Mk	1.4.0	p2	All	All
Application	Check Mk Project	Check Mk	1.4.0	p3	All	All
Application	Check Mk Project	Check Mk	1.4.0	p4	All	All
Application	Check Mk Project	Check Mk	1.4.0	p5	All	All
Application	Check Mk Project	Check Mk	1.4.0	All	All	All
Application	Check Mk Project	Check Mk	1.4.0	p1	All	All
Application	Check Mk Project	Check Mk	1.4.0	p2	All	All
Application	Check Mk Project	Check Mk	1.4.0	p3	All	All
Application	Check Mk Project	Check Mk	1.4.0	p4	All	All
Application	Check Mk Project	Check Mk	1.4.0	p5	All	All

References

Reference	Source	Link	Tags
[R1] Check_MK Multisite Web UI Reflected XSS - Research Advisory \| Tenable®	MISC	www.tenable.com	Exploit, Third Party Advisory
GitHub - tribe29/checkmk: Checkmk - Best-in-class infrastructure & application monitoring	CONFIRM	git.mathias-kettner.de	Third Party Advisory
GitHub - tribe29/checkmk: Checkmk - Best-in-class infrastructure & application monitoring		git.mathias-kettner.de
CVE Program record	CVE.ORG	www.cve.org	canonical
NVD vulnerability detail	NVD	nvd.nist.gov	canonical, analysis

No vendor comments have been submitted for this CVE.

Legacy QID Mappings

198866 Ubuntu Security Notification for Checkmk Vulnerabilities (USN-5527-1)