A cross site scripting (XSS) vulnerability exists in Check_MK versions 1.2.8x prior to 1.2.8p25 and 1.4.0x prior to 1.4.0p9, allowing an unauthenticated attacker to inject arbitrary HTML or JavaScript via the output_format parameter, and the username parameter of failed HTTP basic authentication attempts, which is returned unencoded in an internal server error page. References: https://www.tenable.com/security/research/tra-2017-20
We're shipping 1.2.8p26 already on all the supported channels. Is this report still relevant?
Analysis: As per report attack vector is http://[target]/[sitename]/check_mk/login.py?output_format=<script>alert(%27XSS%27)</script>. check_mk/login.py is part of check-mk-multisite rpm, this rpm is not shipped with Red Hat Gluster Storage 3.
Statement: Red Hat Gluster Storage 3 does not ship check-mk-multisite rpm, and is therefore not affected by this flaw.
(In reply to Andrea Veri from comment #1) > We're shipping 1.2.8p26 already on all the supported channels. Is this > report still relevant? I know, therefore Fedora is marked as not affected. No action is needed, thanks for checking though!