CVE-2017-9781

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2017-9781
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2017-9781.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2017-9781
Downstream
Published
2017-06-21T18:29:00.387Z
Modified
2026-04-11T20:26:31.898974Z
Severity
  • 6.1 (Medium) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVSS Calculator
Summary
[none]
Details

A cross site scripting (XSS) vulnerability exists in Check_MK versions 1.4.0x prior to 1.4.0p6, allowing an unauthenticated remote attacker to inject arbitrary HTML or JavaScript via the _username parameter when attempting authentication to webapi.py, which is returned unencoded with content type text/html.

References

Affected packages

Git / github.com/Checkmk/checkmk

Affected ranges

Type
GIT
Repo
https://github.com/Checkmk/checkmk
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected
3144d0a38c9ff1b290ae6f4489c5df34a2daaf65
Last affected
dd45ab44d88b2a38ec9e37e6d19fec999312fabb
Last affected
1d698351348d44f9d6fc8fb544e27512f649ec5c
Last affected
eef06912863fa3c80ed61721e9df1f4c16fd45de
Last affected
a688860baea6809d303bc7dc4c833b48ecc1f4e0
Last affected
b2fba42409c49b7ac589ce84301ce659b9373349
Database specific 
{
    "cpe": [
        "cpe:2.3:a:check_mk_project:check_mk:1.4.0:*:*:*:*:*:*:*",
        "cpe:2.3:a:check_mk_project:check_mk:1.4.0:p1:*:*:*:*:*:*",
        "cpe:2.3:a:check_mk_project:check_mk:1.4.0:p2:*:*:*:*:*:*",
        "cpe:2.3:a:check_mk_project:check_mk:1.4.0:p3:*:*:*:*:*:*",
        "cpe:2.3:a:check_mk_project:check_mk:1.4.0:p4:*:*:*:*:*:*",
        "cpe:2.3:a:check_mk_project:check_mk:1.4.0:p5:*:*:*:*:*:*"
    ],
    "source": "CPE_FIELD",
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "last_affected": "1.4.0"
        },
        {
            "last_affected": "1.4.0-p1"
        },
        {
            "last_affected": "1.4.0-p2"
        },
        {
            "last_affected": "1.4.0-p3"
        },
        {
            "last_affected": "1.4.0-p4"
        },
        {
            "last_affected": "1.4.0-p5"
        }
    ]
}

Affected versions

v1.*
v1.1.0
v1.1.10
v1.1.10b1
v1.1.10b2
v1.1.11i1
v1.1.11i2
v1.1.11i3
v1.1.13i2
v1.1.13i3
v1.1.2
v1.1.3
v1.1.4
v1.1.6
v1.1.6b2
v1.1.7i2
v1.1.7i3
v1.1.7i4
v1.1.7i5
v1.1.8
v1.1.8b1
v1.1.8b2
v1.1.8b3
v1.1.9i1
v1.1.9i3
v1.1.9i4
v1.1.9i5
v1.1.9i7
v1.1.9i8
v1.1.9i9
v1.2.0b2
v1.2.0b3
v1.2.0b4
v1.2.0p1
v1.2.1i5
v1.2.3i4
v1.2.3i5
v1.2.3i6
v1.2.5i1
v1.2.5i6
v1.4.0
v1.4.0b1
v1.4.0b2
v1.4.0b3
v1.4.0b4
v1.4.0b5
v1.4.0b6
v1.4.0b7
v1.4.0b8
v1.4.0i1
v1.4.0i2
v1.4.0i3
v1.4.0p1
v1.4.0p2
v1.4.0p3
v1.4.0p4
v1.4.0p5

Database specific

source 
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2017-9781.json"