CVE-2024-28828 – 1-Click compromize via CSRF
https://notcve.org/view.php?id=CVE-2024-28828
Cross-Site request forgery in Checkmk < 2.3.0p8, < 2.2.0p29, < 2.1.0p45, and <= 2.0.0p39 (EOL) could lead to 1-click compromize of the site. Cross-Site Request Forgery en Checkmk < 2.3.0p8, < 2.2.0p29, < 2.1.0p45 y <= 2.0.0p39 (EOL) podría provocar que el sitio se comprometa con 1 clic. • https://checkmk.com/werk/17090 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVE-2024-28827 – Privilege escalation in Windows agent
https://notcve.org/view.php?id=CVE-2024-28827
Incorrect permissions on the Checkmk Windows Agent's data directory in Checkmk < 2.3.0p8, < 2.2.0p29, < 2.1.0p45, and <= 2.0.0p39 (EOL) allows a local attacker to gain SYSTEM privileges. Permisos incorrectos en el directorio de datos del agente de Windows Checkmk en Checkmk < 2.3.0p8, < 2.2.0p29, < 2.1.0p45 y <= 2.0.0p39 (EOL) permiten a un atacante local obtener privilegios de SYSTEM. • https://checkmk.com/werk/16845 • CWE-732: Incorrect Permission Assignment for Critical Resource •
CVE-2024-6163 – local IP restriction of internal HTTP endpoints
https://notcve.org/view.php?id=CVE-2024-6163
Certain http endpoints of Checkmk in Checkmk < 2.3.0p10 < 2.2.0p31, < 2.1.0p46, <= 2.0.0p39 allows remote attacker to bypass authentication and access data • https://checkmk.com/werk/17011 • CWE-290: Authentication Bypass by Spoofing •
CVE-2024-6052 – XSS in SQL check parameters
https://notcve.org/view.php?id=CVE-2024-6052
Stored XSS in Checkmk before versions 2.3.0p10, 2.2.0p29, 2.1.0p45, and 2.0.0 (EOL) allows users to execute arbitrary scripts by injecting HTML elements XSS almacenado en Checkmk antes de las versiones 2.3.0p8, 2.2.0p29, 2.1.0p45 y 2.0.0 (EOL) permite a los usuarios ejecutar scripts arbitrarios inyectando elementos HTML Stored XSS in Checkmk before versions 2.3.0p8, 2.2.0p29, 2.1.0p45, and 2.0.0 (EOL) allows users to execute arbitrary scripts by injecting HTML elements • https://checkmk.com/werk/17010 • CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) •
CVE-2024-38857 – Reflected links in visuals facilitate phishing attacks
https://notcve.org/view.php?id=CVE-2024-38857
Improper neutralization of input in Checkmk before versions 2.3.0p8, 2.2.0p28, 2.1.0p45, and 2.0.0 (EOL) allows attackers to craft malicious links that can facilitate phishing attacks. La neutralización inadecuada de la entrada en Checkmk antes de las versiones 2.3.0p8, 2.2.0p28, 2.1.0p45 y 2.0.0 (EOL) permite a los atacantes crear enlaces maliciosos que pueden facilitar los ataques de phishing. • https://checkmk.com/werk/17059 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •