CVE-2017-9781

Published: Jun 21, 2017Modified: May 13, 2026

6.1

Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Exploitability: 2.8 / Impact: 2.7

Source: NVD

Description

A cross site scripting (XSS) vulnerability exists in Check_MK versions 1.4.0x prior to 1.4.0p6, allowing an unauthenticated remote attacker to inject arbitrary HTML or JavaScript via the _username parameter when attempting authentication to webapi.py, which is returned unencoded with content type text/html.

Affected (6)

Products: Check Mk Project: Check Mk

Check Mk Project

1 product

Check Mk

Configuration A

6 vulnerable

Vulnerable Software	Affected Versions
Check Mk Project Check Mk	Version 1.4.0
Check Mk Project Check Mk	Version 1.4.0 p1
Check Mk Project Check Mk	Version 1.4.0 p2
Check Mk Project Check Mk	Version 1.4.0 p3
Check Mk Project Check Mk	Version 1.4.0 p4
Check Mk Project Check Mk	Version 1.4.0 p5

Related CWEs

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

References (4)

http://git.mathias-kettner.de/git/?p=check_mk.git%3Ba=blob%3Bf=.werks/4757%3Bhb=c248f0b6ff7b15ced9f07a3df8a80fad656ea5b1

Source: cve@mitre.org

https://www.tenable.com/security/research/tra-2017-21

Source: cve@mitre.org

ExploitThird Party Advisory

http://git.mathias-kettner.de/git/?p=check_mk.git%3Ba=blob%3Bf=.werks/4757%3Bhb=c248f0b6ff7b15ced9f07a3df8a80fad656ea5b1

Source: af854a3a-2127-422b-91ae-364da2661108

https://www.tenable.com/security/research/tra-2017-21

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitThird Party Advisory

Timeline

No history available yet.