Werk #4757

KomponenteGUI
TitelFixed possible reflected XSS in webapi.py
Datum2017-06-14 19:54:07
Check_MK EditionCheck_MK Raw Edition (CRE)
Check_MK Version1.4.0p6,1.5.0i1,1.2.8p27
Level2 - Wichtige Änderung
KlasseSecurity Fix
KompatibilitätCompatible - no manual interaction needed

In the Check_MK 1.4 branch URLs like this could be used for a reflected XSS attack:

http:////check_mk/webapi.py?_username=<script>alert("XSS")</script>&_secret=AnythingHere

The error message was interpreted as HTML while it should be a plain text error message. This has been fixed now.