CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 0CVE-2023-22307 – Site-Passwords in GET parameters
https://notcve.org/view.php?id=CVE-2023-22307
Sensitive data exposure in Webconf in Tribe29 Checkmk Appliance before 1.6.4 allows local attacker to retrieve passwords via reading log files. • https://checkmk.com/werk/9522 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-598: Use of GET Request Method With Sensitive Query Strings CWE-668: Exposure of Resource to Wrong Sphere •
CVSS: 4.3EPSS: 0%CPEs: 41EXPL: 0CVE-2023-2020 – Unauthorized scheduling of downtimes via REST API
https://notcve.org/view.php?id=CVE-2023-2020
Insufficient permission checks in the REST API in Tribe29 Checkmk <= 2.1.0p27 and <= 2.2.0b4 (beta) allow unauthorized users to schedule downtimes for any host. • https://checkmk.com/werk/13981 • CWE-280: Improper Handling of Insufficient Permissions or Privileges CWE-863: Incorrect Authorization •
CVSS: 5.3EPSS: 0%CPEs: 135EXPL: 0CVE-2023-1768 – Symmetric agent data encryption fails silently
https://notcve.org/view.php?id=CVE-2023-1768
Inappropriate error handling in Tribe29 Checkmk <= 2.1.0p25, <= 2.0.0p34, <= 2.2.0b3 (beta), and all versions of Checkmk 1.6.0 causes the symmetric encryption of agent data to fail silently and transmit the data in plaintext in certain configurations. • https://checkmk.com/werk/15423 • CWE-446: UI Discrepancy for Security Feature •
CVSS: 5.4EPSS: 0%CPEs: 77EXPL: 0CVE-2023-22288 – Email HTML Injection
https://notcve.org/view.php?id=CVE-2023-22288
HTML Email Injection in Tribe29 Checkmk <=2.1.0p23; <=2.0.0p34, and all versions of Checkmk 1.6.0 allows an authenticated attacker to inject malicious HTML into Emails • https://checkmk.com/werk/15069 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-138: Improper Neutralization of Special Elements •
CVSS: 5.4EPSS: 0%CPEs: 111EXPL: 0CVE-2022-48320 – CSRF in add-visual endpoint
https://notcve.org/view.php?id=CVE-2022-48320
Cross-site Request Forgery (CSRF) in Tribe29's Checkmk <= 2.1.0p17, Checkmk <= 2.0.0p31, and all versions of Checkmk 1.6.0 (EOL) allow an attacker to add new visual elements to multiple pages. • https://checkmk.com/werk/14924 • CWE-352: Cross-Site Request Forgery (CSRF) •