CVE-2020-28919

moderate-risk
Published 2022-01-15

A stored cross site scripting (XSS) vulnerability in Checkmk 1.6.0x prior to 1.6.0p19 allows an authenticated remote attacker to inject arbitrary JavaScript via a javascript: URL in a view title.

Do I need to act?

-
0.23% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
5
CVSS 5.4/10 Medium
NETWORK / LOW complexity

Affected Products (20)

Affected Vendors

Checkmk

References (8)

Vendor Advisory https://checkmk.com/check_mk-werks.php?werk_id=11501
Exploit https://emacsninja.com/posts/cve-2020-28919-stored-xss-in-checkmk-160p18.html
Patch https://github.com/tribe29/checkmk/commit/c00f450f884d8a229b7d8ab3f0452ed802a1ae...
Patch https://github.com/tribe29/checkmk/commit/e7fd8e4c90be490e4293ec91804d00ec01af5c...
Vendor Advisory https://checkmk.com/check_mk-werks.php?werk_id=11501
Exploit https://emacsninja.com/posts/cve-2020-28919-stored-xss-in-checkmk-160p18.html
Patch https://github.com/tribe29/checkmk/commit/c00f450f884d8a229b7d8ab3f0452ed802a1ae...
Patch https://github.com/tribe29/checkmk/commit/e7fd8e4c90be490e4293ec91804d00ec01af5c...
43
/ 100
moderate-risk
Severity 21/34 · High
Exploitability 1/34 · Minimal
Exposure 21/34 · High