Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

ubuntu логотип

CVE-2021-40906

Опубликовано: 25 мар. 2022
Источник: ubuntu
Приоритет: medium
CVSS2: 4.3
CVSS3: 6.1

Описание

CheckMK Raw Edition software (versions 1.5.0 to 1.6.0) does not sanitise the input of a web service parameter that is in an unauthenticated zone. This Reflected XSS allows an attacker to open a backdoor on the device with HTML content and interpreted by the browser (such as JavaScript or other client-side scripts) or to steal the session cookies of a user who has previously authenticated via a man in the middle. Successful exploitation requires access to the web service resource without authentication.

РелизСтатусПримечание
bionic

released

1.2.8p16-1ubuntu0.2
devel

DNE

esm-apps/bionic

released

1.2.8p16-1ubuntu0.2
esm-apps/xenial

not-affected

code not present
esm-infra/focal

DNE

focal

DNE

jammy

DNE

trusty

ignored

end of standard support
upstream

released

1.6.0p26
xenial

ignored

end of standard support

Показывать по

Ссылки на источники

4.3 Medium

CVSS2

6.1 Medium

CVSS3

Связанные уязвимости

nvd логотип

CVE-2021-40906

CVSS3: 6.1
nvd
почти 4 года назад

CheckMK Raw Edition software (versions 1.5.0 to 1.6.0) does not sanitise the input of a web service parameter that is in an unauthenticated zone. This Reflected XSS allows an attacker to open a backdoor on the device with HTML content and interpreted by the browser (such as JavaScript or other client-side scripts) or to steal the session cookies of a user who has previously authenticated via a man in the middle. Successful exploitation requires access to the web service resource without authentication.

debian логотип

CVE-2021-40906

CVSS3: 6.1
debian
почти 4 года назад

CheckMK Raw Edition software (versions 1.5.0 to 1.6.0) does not saniti ...

github логотип

GHSA-jv73-q4rg-p7qh

CVSS3: 6.1
github
почти 4 года назад

CheckMK Raw Edition software (versions 1.5.0 to 1.6.0) does not sanitise the input of a web service parameter that is in an unauthenticated zone. This Reflected XSS allows an attacker to open a backdoor on the device with HTML content and interpreted by the browser (such as JavaScript or other client-side scripts) or to steal the session cookies of a user who has previously authenticated via a man in the middle. Successful exploitation requires access to the web service resource without authentication.

4.3 Medium

CVSS2

6.1 Medium

CVSS3