CVE-2024-28832 – XSS in Crash Report Page
https://notcve.org/view.php?id=CVE-2024-28832
Stored XSS in the Crash Report page in Checkmk before versions 2.3.0p7, 2.2.0p28, 2.1.0p45, and 2.0.0 (EOL) allows users with permission to change Global Settings to execute arbitrary scripts by injecting HTML elements into the Crash Report URL in the Global Settings. • https://checkmk.com/werk/17024 • CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) •
CVE-2024-28831 – XSS in confirmation pop-up
https://notcve.org/view.php?id=CVE-2024-28831
Stored XSS in some confirmation pop-ups in Checkmk before versions 2.3.0p7 and 2.2.0p28 allows Checkmk users to execute arbitrary scripts by injecting HTML elements into some user input fields that are shown in a confirmation pop-up. • https://checkmk.com/werk/17025 • CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) •
CVE-2024-5741 – XSS in inventory view
https://notcve.org/view.php?id=CVE-2024-5741
Stored XSS in inventory tree rendering in Checkmk before 2.3.0p7, 2.2.0p28, 2.1.0p45 and 2.0.0 (EOL) • https://checkmk.com/werk/17009 • CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) •
CVE-2024-28826 – Unrestricted upload and download paths in check_sftp
https://notcve.org/view.php?id=CVE-2024-28826
Improper restriction of local upload and download paths in check_sftp in Checkmk before 2.3.0p4, 2.2.0p27, 2.1.0p44, and in Checkmk 2.0.0 (EOL) allows attackers with sufficient permissions to configure the check to read and write local files on the Checkmk site server. La restricción inadecuada de las rutas de carga y descarga locales en check_sftp en Checkmk anterior a 2.3.0p4, 2.2.0p27, 2.1.0p44 y en Checkmk 2.0.0 (EOL) permite a atacantes con permisos suficientes configurar la verificación para leer y escribir archivos locales en el servidor del sitio Checkmk. • https://checkmk.com/werk/15200 • CWE-73: External Control of File Name or Path •
CVE-2024-28825 – Brute-force protection ineffective for some login methods
https://notcve.org/view.php?id=CVE-2024-28825
Improper restriction of excessive authentication attempts on some authentication methods in Checkmk before 2.3.0b5 (beta), 2.2.0p26, 2.1.0p43, and in Checkmk 2.0.0 (EOL) facilitates password brute-forcing. La restricción inadecuada de intentos de autenticación excesivos en algunos métodos de autenticación en Checkmk anteriores a 2.3.0b5 (beta), 2.2.0p26, 2.1.0p43 y en Checkmk 2.0.0 (EOL) facilita la fuerza bruta de contraseñas. • https://checkmk.com/werk/15198 • CWE-307: Improper Restriction of Excessive Authentication Attempts •