Total
50 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-43440 | 1 Checkmk | 1 Checkmk | 2024-07-23 | N/A | 7.8 HIGH |
| Uncontrolled Search Path Element in Checkmk Agent in Tribe29 Checkmk before 2.1.0p1, before 2.0.0p25 and before 1.6.0p29 on a Checkmk server allows the site user to escalate privileges via a manipulated unixcat executable | |||||
| CVE-2017-14955 | 1 Checkmk | 1 Checkmk | 2024-07-23 | 4.3 MEDIUM | 5.9 MEDIUM |
| Check_MK before 1.2.8p26 mishandles certain errors within the failed-login save feature because of a race condition, which allows remote attackers to obtain sensitive user information by reading a GUI crash report. | |||||
| CVE-2022-48320 | 1 Checkmk | 1 Checkmk | 2024-07-23 | N/A | 4.3 MEDIUM |
| Cross-site Request Forgery (CSRF) in Tribe29's Checkmk <= 2.1.0p17, Checkmk <= 2.0.0p31, and all versions of Checkmk 1.6.0 (EOL) allow an attacker to add new visual elements to multiple pages. | |||||
| CVE-2023-6156 | 1 Checkmk | 1 Checkmk | 2024-07-23 | N/A | 8.8 HIGH |
| Improper neutralization of livestatus command delimiters in the availability timeline in Checkmk <= 2.0.0p39, < 2.1.0p37, and < 2.2.0p15 allows arbitrary livestatus command execution for authorized users. | |||||
| CVE-2021-40904 | 1 Checkmk | 1 Checkmk | 2024-07-23 | 6.8 MEDIUM | 8.8 HIGH |
| The web management console of CheckMK Raw Edition (versions 1.5.0 to 1.6.0) allows a misconfiguration of the web-app Dokuwiki (installed by default), which allows embedded php code. As a result, remote code execution is achieved. Successful exploitation requires access to the web management interface, either with valid credentials or with a hijacked session by a user with the role of administrator. | |||||
| CVE-2023-31210 | 1 Checkmk | 1 Checkmk | 2024-07-23 | N/A | 7.8 HIGH |
| Usage of user controlled LD_LIBRARY_PATH in agent in Checkmk 2.2.0p10 up to 2.2.0p16 allows malicious Checkmk site user to escalate rights via injection of malicious libraries | |||||
| CVE-2022-24565 | 1 Checkmk | 1 Checkmk | 2024-07-23 | 3.5 LOW | 5.4 MEDIUM |
| Checkmk <=2.0.0p19 Fixed in 2.0.0p20 and Checkmk <=1.6.0p27 Fixed in 1.6.0p28 are affected by a Cross Site Scripting (XSS) vulnerability. The Alias of a site was not properly escaped when shown as condition for notifications. | |||||
| CVE-2022-48321 | 1 Checkmk | 1 Checkmk | 2024-07-23 | N/A | 3.3 LOW |
| Limited Server-Side Request Forgery (SSRF) in agent-receiver in Tribe29's Checkmk <= 2.1.0p11 allows an attacker to communicate with local network restricted endpoints by use of the host registration API. | |||||
| CVE-2023-31207 | 1 Checkmk | 1 Checkmk | 2024-07-23 | N/A | 5.5 MEDIUM |
| Transmission of credentials within query parameters in Checkmk <= 2.1.0p26, <= 2.0.0p35, and <= 2.2.0b6 (beta) may cause the automation user's secret to be written to the site Apache access log. | |||||
| CVE-2023-22348 | 2 Checkmk, Tribe29 | 2 Checkmk, Checkmk | 2024-07-23 | N/A | 4.3 MEDIUM |
| Improper Authorization in RestAPI in Checkmk GmbH's Checkmk versions <2.1.0p28 and <2.2.0b8 allows remote authenticated users to read arbitrary host_configs. | |||||
| CVE-2024-28833 | 1 Checkmk | 1 Checkmk | 2024-07-23 | N/A | 7.5 HIGH |
| Improper restriction of excessive authentication attempts with two factor authentication methods in Checkmk 2.3 before 2.3.0p6 facilitates brute-forcing of second factor mechanisms. | |||||
| CVE-2023-22288 | 2 Checkmk, Tribe29 | 2 Checkmk, Checkmk | 2024-07-23 | N/A | 5.4 MEDIUM |
| HTML Email Injection in Tribe29 Checkmk <=2.1.0p23; <=2.0.0p34, and all versions of Checkmk 1.6.0 allows an authenticated attacker to inject malicious HTML into Emails | |||||
| CVE-2021-40906 | 2 Checkmk, Tribe29 | 2 Checkmk, Checkmk | 2024-07-23 | 4.3 MEDIUM | 6.1 MEDIUM |
| CheckMK Raw Edition software (versions 1.5.0 to 1.6.0) does not sanitise the input of a web service parameter that is in an unauthenticated zone. This Reflected XSS allows an attacker to open a backdoor on the device with HTML content and interpreted by the browser (such as JavaScript or other client-side scripts) or to steal the session cookies of a user who has previously authenticated via a man in the middle. Successful exploitation requires access to the web service resource without authentication. | |||||
| CVE-2022-47909 | 1 Checkmk | 1 Checkmk | 2024-07-23 | N/A | 7.8 HIGH |
| Livestatus Query Language (LQL) injection in the AuthUser HTTP query header of Tribe29's Checkmk <= 2.1.0p11, Checkmk <= 2.0.0p28, and all versions of Checkmk 1.6.0 (EOL) allows an attacker to perform direct queries to the application's core from localhost. | |||||
| CVE-2022-46836 | 1 Checkmk | 1 Checkmk | 2024-07-23 | N/A | 8.8 HIGH |
| PHP code injection in watolib auth.php and hosttags.php in Tribe29's Checkmk <= 2.1.0p10, Checkmk <= 2.0.0p27, and Checkmk <= 1.6.0p29 allows an attacker to inject and execute PHP code which will be executed upon request of the vulnerable component. | |||||
| CVE-2023-6157 | 1 Checkmk | 1 Checkmk | 2024-07-23 | N/A | 8.8 HIGH |
| Improper neutralization of livestatus command delimiters in ajax_search in Checkmk <= 2.0.0p39, < 2.1.0p37, and < 2.2.0p15 allows arbitrary livestatus command execution for authorized users. | |||||
| CVE-2023-31208 | 2 Checkmk, Tribe29 | 2 Checkmk, Checkmk | 2024-07-23 | N/A | 8.8 HIGH |
| Improper neutralization of livestatus command delimiters in the RestAPI in Checkmk < 2.0.0p36, < 2.1.0p28, and < 2.2.0b8 (beta) allows arbitrary livestatus command execution for authorized users. | |||||
| CVE-2022-24564 | 1 Checkmk | 1 Checkmk | 2024-07-23 | 4.3 MEDIUM | 6.1 MEDIUM |
| Checkmk <=2.0.0p19 contains a Cross Site Scripting (XSS) vulnerability. While creating or editing a user attribute, the Help Text is subject to HTML injection, which can be triggered for editing a user. | |||||
| CVE-2023-0284 | 2 Checkmk, Tribe29 | 2 Checkmk, Checkmk | 2024-07-23 | N/A | 8.1 HIGH |
| Improper Input Validation of LDAP user IDs in Tribe29 Checkmk allows attackers that can control LDAP user IDs to manipulate files on the server. Checkmk <= 2.1.0p19, Checkmk <= 2.0.0p32, and all versions of Checkmk 1.6.0 (EOL) are affected. | |||||
| CVE-2022-24566 | 1 Checkmk | 1 Checkmk | 2024-07-23 | 3.5 LOW | 5.4 MEDIUM |
| In Checkmk <=2.0.0p19 fixed in 2.0.0p20 and Checkmk <=1.6.0p27 fixed in 1.6.0p28, the title of a Predefined condition is not properly escaped when shown as condition, which can result in Cross Site Scripting (XSS). | |||||