CVE-2017-11507

medium
New! CVE Severity Now Using CVSS v3

The calculated severity for CVEs has been updated to use CVSS v3 by default. CVEs that do not have a CVSS v3 score will fall back CVSS v2 for calculating severity. Severity display preferences can be toggled in the settings dropdown.

Description

A cross site scripting (XSS) vulnerability exists in Check_MK versions 1.2.8x prior to 1.2.8p25 and 1.4.0x prior to 1.4.0p9, allowing an unauthenticated attacker to inject arbitrary HTML or JavaScript via the output_format parameter, and the username parameter of failed HTTP basic authentication attempts, which is returned unencoded in an internal server error page.

References

http://mathias-kettner.com/check_mk_werks.php?werk_id=7661

https://www.tenable.com/security/research/tra-2017-20

Details

Source: MITRE

Published: 2017-12-11

Updated: 2017-12-26

Type: CWE-79

Risk Information

CVSS v2

Base Score: 4.3

Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N

Impact Score: 2.9

Exploitability Score: 8.6

Severity: MEDIUM

CVSS v3

Base Score: 6.1

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Impact Score: 2.7

Exploitability Score: 2.8

Severity: MEDIUM

Vulnerable Software

Configuration 1

OR

cpe:2.3:a:check_mk_project:check_mk:1.2.8:*:*:*:*:*:*:*

cpe:2.3:a:check_mk_project:check_mk:1.2.8:b1:*:*:*:*:*:*

cpe:2.3:a:check_mk_project:check_mk:1.2.8:b10:*:*:*:*:*:*

cpe:2.3:a:check_mk_project:check_mk:1.2.8:b11:*:*:*:*:*:*

cpe:2.3:a:check_mk_project:check_mk:1.2.8:b2:*:*:*:*:*:*

cpe:2.3:a:check_mk_project:check_mk:1.2.8:b3:*:*:*:*:*:*

cpe:2.3:a:check_mk_project:check_mk:1.2.8:b4:*:*:*:*:*:*

cpe:2.3:a:check_mk_project:check_mk:1.2.8:b5:*:*:*:*:*:*

cpe:2.3:a:check_mk_project:check_mk:1.2.8:b6:*:*:*:*:*:*

cpe:2.3:a:check_mk_project:check_mk:1.2.8:b7:*:*:*:*:*:*

cpe:2.3:a:check_mk_project:check_mk:1.2.8:b8:*:*:*:*:*:*

cpe:2.3:a:check_mk_project:check_mk:1.2.8:b9:*:*:*:*:*:*

cpe:2.3:a:check_mk_project:check_mk:1.2.8:p1:*:*:*:*:*:*

cpe:2.3:a:check_mk_project:check_mk:1.2.8:p10:*:*:*:*:*:*

cpe:2.3:a:check_mk_project:check_mk:1.2.8:p11:*:*:*:*:*:*

cpe:2.3:a:check_mk_project:check_mk:1.2.8:p12:*:*:*:*:*:*

cpe:2.3:a:check_mk_project:check_mk:1.2.8:p13:*:*:*:*:*:*

cpe:2.3:a:check_mk_project:check_mk:1.2.8:p14:*:*:*:*:*:*

cpe:2.3:a:check_mk_project:check_mk:1.2.8:p15:*:*:*:*:*:*

cpe:2.3:a:check_mk_project:check_mk:1.2.8:p16:*:*:*:*:*:*

cpe:2.3:a:check_mk_project:check_mk:1.2.8:p17:*:*:*:*:*:*

cpe:2.3:a:check_mk_project:check_mk:1.2.8:p18:*:*:*:*:*:*

cpe:2.3:a:check_mk_project:check_mk:1.2.8:p19:*:*:*:*:*:*

cpe:2.3:a:check_mk_project:check_mk:1.2.8:p2:*:*:*:*:*:*

cpe:2.3:a:check_mk_project:check_mk:1.2.8:p20:*:*:*:*:*:*

cpe:2.3:a:check_mk_project:check_mk:1.2.8:p21:*:*:*:*:*:*

cpe:2.3:a:check_mk_project:check_mk:1.2.8:p22:*:*:*:*:*:*

cpe:2.3:a:check_mk_project:check_mk:1.2.8:p23:*:*:*:*:*:*

cpe:2.3:a:check_mk_project:check_mk:1.2.8:p24:*:*:*:*:*:*

cpe:2.3:a:check_mk_project:check_mk:1.2.8:p25:*:*:*:*:*:*

cpe:2.3:a:check_mk_project:check_mk:1.2.8:p3:*:*:*:*:*:*

cpe:2.3:a:check_mk_project:check_mk:1.2.8:p4:*:*:*:*:*:*

cpe:2.3:a:check_mk_project:check_mk:1.2.8:p5:*:*:*:*:*:*

cpe:2.3:a:check_mk_project:check_mk:1.2.8:p6:*:*:*:*:*:*

cpe:2.3:a:check_mk_project:check_mk:1.2.8:p7:*:*:*:*:*:*

cpe:2.3:a:check_mk_project:check_mk:1.2.8:p8:*:*:*:*:*:*

cpe:2.3:a:check_mk_project:check_mk:1.2.8:p9:*:*:*:*:*:*

cpe:2.3:a:check_mk_project:check_mk:1.4.0:*:*:*:*:*:*:*

cpe:2.3:a:check_mk_project:check_mk:1.4.0:b1:*:*:*:*:*:*

cpe:2.3:a:check_mk_project:check_mk:1.4.0:b2:*:*:*:*:*:*

cpe:2.3:a:check_mk_project:check_mk:1.4.0:b3:*:*:*:*:*:*

cpe:2.3:a:check_mk_project:check_mk:1.4.0:b4:*:*:*:*:*:*

cpe:2.3:a:check_mk_project:check_mk:1.4.0:b5:*:*:*:*:*:*

cpe:2.3:a:check_mk_project:check_mk:1.4.0:b6:*:*:*:*:*:*

cpe:2.3:a:check_mk_project:check_mk:1.4.0:b7:*:*:*:*:*:*

cpe:2.3:a:check_mk_project:check_mk:1.4.0:b8:*:*:*:*:*:*

cpe:2.3:a:check_mk_project:check_mk:1.4.0:b9:*:*:*:*:*:*

cpe:2.3:a:check_mk_project:check_mk:1.4.0:p1:*:*:*:*:*:*

cpe:2.3:a:check_mk_project:check_mk:1.4.0:p2:*:*:*:*:*:*

cpe:2.3:a:check_mk_project:check_mk:1.4.0:p3:*:*:*:*:*:*

cpe:2.3:a:check_mk_project:check_mk:1.4.0:p4:*:*:*:*:*:*

cpe:2.3:a:check_mk_project:check_mk:1.4.0:p5:*:*:*:*:*:*

cpe:2.3:a:check_mk_project:check_mk:1.4.0:p6:*:*:*:*:*:*

cpe:2.3:a:check_mk_project:check_mk:1.4.0:p7:*:*:*:*:*:*

cpe:2.3:a:check_mk_project:check_mk:1.4.0:p8:*:*:*:*:*:*

cpe:2.3:a:check_mk_project:check_mk:1.4.0:p9:*:*:*:*:*:*

Tenable Plugins

View all (1 total)

IDNameProductFamilySeverity
105256Check_MK Internal Server Error XSSNessusCGI abuses : XSS
medium