CVE-2024-28832

Summary

Stored XSS in the Crash Report page in Checkmk before versions 2.3.0p7, 2.2.0p28, 2.1.0p45, and 2.0.0 (EOL) allows users with permission to change Global Settings to execute arbitrary scripts by injecting HTML elements into the Crash Report URL in the Global Settings.

Affected Software

VendorProductVersion RangeStatus
Checkmk GmbHCheckmk2.3.0 < 2.3.0p7affected
Checkmk GmbHCheckmk2.2.0 < 2.2.0p28affected
Checkmk GmbHCheckmk2.1.0 < 2.1.0p45affected
Checkmk GmbHCheckmk2.0.0 <= 2.0.0p39affected

Weaknesses

  • CWE-80: CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

CVE Program Container

Additional References

References