CVE-2020-28919
MEDIUMCheckmk < 1.6.0p19 - Authenticated Stored Cross-Site Scripting via View Title
Title source: llmDescription
A stored cross site scripting (XSS) vulnerability in Checkmk 1.6.0x prior to 1.6.0p19 allows an authenticated remote attacker to inject arbitrary JavaScript via a javascript: URL in a view title.
References (4)
Core 4
Core References
Vendor Advisory x_refsource_misc
https://checkmk.com/check_mk-werks.php?werk_id=11501
Patch, Third Party Advisory x_refsource_misc
https://github.com/tribe29/checkmk/commit/c00f450f884d8a229b7d8ab3f0452ed802a1ae04
Patch x_refsource_misc
https://github.com/tribe29/checkmk/commit/e7fd8e4c90be490e4293ec91804d00ec01af5ca6
Exploit, Third Party Advisory x_refsource_misc
https://emacsninja.com/posts/cve-2020-28919-stored-xss-in-checkmk-160p18.html
Scores
CVSS v3
5.4
EPSS
0.0108
EPSS Percentile
60.8%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Details
CWE
CWE-79
Status
published
Products (1)
checkmk/checkmk
1.6.0 (26 CPE variants)
Published
Jan 15, 2022
Tracked Since
Feb 18, 2026