Vendor CVEs
Checkmk
All CVEs
122 total · sorted by risk| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2024-38864 | 0.00 | — | 0.00 | Dec 19, 2024 | Incorrect permissions on the Checkmk Windows Agent's data directory in Checkmk < 2.3.0p23, < 2.2.0p38 and <= 2.1.0p49 (EOL) allows a local attacker to read sensitive data. | |||
| CVE-2024-47094 | 0.00 | — | 0.00 | Nov 29, 2024 | Insertion of Sensitive Information into Log File in Checkmk GmbH's Checkmk versions <2.3.0p22, <2.2.0p37, <2.1.0p50 (EOL) causes remote site secrets to be written to web log files accessible to local site users. | |||
| CVE-2024-6747 | 0.00 | — | 0.00 | Oct 10, 2024 | Information leakage in mknotifyd in Checkmk before 2.3.0p18, 2.2.0p36, 2.1.0p49 and in 2.0.0p39 (EOL) allows attacker to get potentially sensitive data | |||
| CVE-2024-38861 | 0.00 | — | 0.00 | Sep 27, 2024 | Improper Certificate Validation in Checkmk Exchange plugin MikroTik allows attackers in MitM position to intercept traffic. This issue affects MikroTik: from 2.0.0 through 2.5.5, from 0.4a_mk through 2.0a. | |||
| CVE-2024-8606 | 0.00 | — | 0.00 | Sep 23, 2024 | Bypass of two factor authentication in RestAPI in Checkmk < 2.3.0p16 and < 2.2.0p34 allows authenticated users to bypass two factor authentication | |||
| CVE-2024-38860 | 0.00 | — | 0.00 | Sep 17, 2024 | Improper neutralization of input in Checkmk before versions 2.3.0p16 and 2.2.0p34 allows attackers to craft malicious links that can facilitate phishing attacks. | |||
| CVE-2024-6572 | 0.00 | — | 0.00 | Sep 9, 2024 | Improper host key checking in active check 'Check SFTP Service' and special agent 'VNX quotas and filesystem' in Checkmk before Checkmk 2.3.0p15, 2.2.0p33, 2.1.0p48 and 2.0.0 (EOL) allows man-in-the-middle attackers to intercept traffic | |||
| CVE-2024-38858 | 0.00 | — | 0.00 | Sep 2, 2024 | Improper neutralization of input in Checkmk before version 2.3.0p14 allows attackers to inject and run malicious scripts in the Robotmk logs view. | |||
| CVE-2024-38859 | 0.00 | — | 0.00 | Aug 26, 2024 | XSS in the view page with the SLA column configured in Checkmk versions prior to 2.3.0p14, 2.2.0p33, 2.1.0p47 and 2.0.0 (EOL) allowed malicious users to execute arbitrary scripts by injecting HTML elements into the SLA column title. These scripts could be executed when the view… | |||
| CVE-2024-28829 | 0.00 | — | 0.00 | Aug 20, 2024 | Least privilege violation and reliance on untrusted inputs in the mk_informix Checkmk agent plugin before Checkmk 2.3.0p12, 2.2.0p32, 2.1.0p47 and 2.0.0 (EOL) allows local users to escalate privileges. | |||
| CVE-2024-6542 | 0.00 | — | 0.00 | Jul 22, 2024 | Improper neutralization of livestatus command delimiters in mknotifyd in Checkmk <= 2.0.0p39, < 2.1.0p47, < 2.2.0p32 and < 2.3.0p11 allows arbitrary livestatus command execution. | |||
| CVE-2024-28828 | 0.00 | — | 0.00 | Jul 10, 2024 | Cross-Site request forgery in Checkmk < 2.3.0p8, < 2.2.0p29, < 2.1.0p45, and <= 2.0.0p39 (EOL) could lead to 1-click compromize of the site. | |||
| CVE-2024-28827 | 0.00 | — | 0.00 | Jul 10, 2024 | Incorrect permissions on the Checkmk Windows Agent's data directory in Checkmk < 2.3.0p8, < 2.2.0p29, < 2.1.0p45, and <= 2.0.0p39 (EOL) allows a local attacker to gain SYSTEM privileges. | |||
| CVE-2024-6163 | 0.00 | — | 0.01 | Jul 8, 2024 | Certain http endpoints of Checkmk in Checkmk < 2.3.0p10 < 2.2.0p31, < 2.1.0p46, <= 2.0.0p39 allows remote attacker to bypass authentication and access data | |||
| CVE-2024-6052 | 0.00 | — | 0.00 | Jul 3, 2024 | Stored XSS in Checkmk before versions 2.3.0p8, 2.2.0p29, 2.1.0p45, and 2.0.0 (EOL) allows users to execute arbitrary scripts by injecting HTML elements | |||
| CVE-2024-38857 | 0.00 | — | 0.00 | Jul 2, 2024 | Improper neutralization of input in Checkmk before versions 2.3.0p8, 2.2.0p28, 2.1.0p45, and 2.0.0 (EOL) allows attackers to craft malicious links that can facilitate phishing attacks. | |||
| CVE-2024-28830 | 0.00 | — | 0.00 | Jun 26, 2024 | Insertion of Sensitive Information into Log File in Checkmk GmbH's Checkmk versions <2.3.0p7, <2.2.0p28, <2.1.0p45 and <=2.0.0p39 (EOL) causes automation user secrets to be written to audit log files accessible to administrators. | |||
| CVE-2024-28832 | 0.00 | — | 0.00 | Jun 25, 2024 | Stored XSS in the Crash Report page in Checkmk before versions 2.3.0p7, 2.2.0p28, 2.1.0p45, and 2.0.0 (EOL) allows users with permission to change Global Settings to execute arbitrary scripts by injecting HTML elements into the Crash Report URL in the Global Settings. | |||
| CVE-2024-28831 | 0.00 | — | 0.00 | Jun 25, 2024 | Stored XSS in some confirmation pop-ups in Checkmk before versions 2.3.0p7 and 2.2.0p28 allows Checkmk users to execute arbitrary scripts by injecting HTML elements into some user input fields that are shown in a confirmation pop-up. | |||
| CVE-2024-5741 | 0.00 | — | 0.00 | Jun 17, 2024 | Stored XSS in inventory tree rendering in Checkmk before 2.3.0p7, 2.2.0p28, 2.1.0p45 and 2.0.0 (EOL) | |||
| CVE-2024-28833 | 0.00 | — | 0.00 | Jun 10, 2024 | Improper restriction of excessive authentication attempts with two factor authentication methods in Checkmk 2.3 before 2.3.0p6 facilitates brute-forcing of second factor mechanisms. | |||
| CVE-2024-28826 | 0.00 | — | 0.00 | May 29, 2024 | Improper restriction of local upload and download paths in check_sftp in Checkmk before 2.3.0p4, 2.2.0p27, 2.1.0p44, and in Checkmk 2.0.0 (EOL) allows attackers with sufficient permissions to configure the check to read and write local files on the Checkmk site server. | |||
| CVE-2024-28825 | 0.00 | — | 0.01 | Apr 24, 2024 | Improper restriction of excessive authentication attempts on some authentication methods in Checkmk before 2.3.0b5 (beta), 2.2.0p26, 2.1.0p43, and in Checkmk 2.0.0 (EOL) facilitates password brute-forcing. | |||
| CVE-2024-3367 | 0.00 | — | 0.00 | Apr 16, 2024 | Argument injection in websphere_mq agent plugin in Checkmk 2.0.0, 2.1.0, <2.2.0p26 and <2.3.0b5 allows local attacker to inject one argument to runmqsc | |||
| CVE-2024-2380 | 0.00 | — | 0.00 | Apr 5, 2024 | Stored XSS in graph rendering in Checkmk <2.3.0b4. | |||
| CVE-2024-28824 | 0.00 | — | 0.00 | Mar 22, 2024 | Least privilege violation and reliance on untrusted inputs in the mk_informix Checkmk agent plugin before Checkmk 2.3.0b4 (beta), 2.2.0p24, 2.1.0p41 and 2.0.0 (EOL) allows local users to escalate privileges. | |||
| CVE-2024-1742 | 0.00 | — | 0.00 | Mar 22, 2024 | Invocation of the sqlplus command with sensitive information in the command line in the mk_oracle Checkmk agent plugin before Checkmk 2.3.0b4 (beta), 2.2.0p24, 2.1.0p41 and 2.0.0 (EOL) allows the extraction of this information from the process list. | |||
| CVE-2024-0638 | 0.00 | — | 0.00 | Mar 22, 2024 | Least privilege violation in the Checkmk agent plugins mk_oracle, mk_oracle.ps1, and mk_oracle_crs before Checkmk 2.3.0b4 (beta), 2.2.0p24, 2.1.0p41 and 2.0.0 (EOL) allows local users to escalate privileges. | |||
| CVE-2024-0670 | 0.00 | — | 0.00 | Mar 11, 2024 | Privilege escalation in windows agent plugin in Checkmk before 2.2.0p23, 2.1.0p40 and 2.0.0 (EOL) allows local user to escalate privileges | |||
| CVE-2023-6740 | 0.00 | — | 0.00 | Jan 12, 2024 | Privilege escalation in jar_signature agent plugin in Checkmk before 2.2.0p18, 2.1.0p38 and 2.0.0p39 allows local user to escalate privileges | |||
| CVE-2023-6735 | 0.00 | — | 0.00 | Jan 12, 2024 | Privilege escalation in mk_tsm agent plugin in Checkmk before 2.2.0p18, 2.1.0p38 and 2.0.0p39 allows local user to escalate privileges | |||
| CVE-2023-31211 | 0.00 | — | 0.01 | Jan 12, 2024 | Insufficient authentication flow in Checkmk before 2.2.0p18, 2.1.0p38 and 2.0.0p39 allows attacker to use locked credentials | |||
| CVE-2023-31210 | 0.00 | — | 0.01 | Dec 13, 2023 | Usage of user controlled LD_LIBRARY_PATH in agent in Checkmk 2.2.0p10 up to 2.2.0p16 allows malicious Checkmk site user to escalate rights via injection of malicious libraries | |||
| CVE-2023-6287 | 0.00 | — | 0.00 | Nov 27, 2023 | Sensitive data exposure in Webconf in Tribe29 Checkmk Appliance before 1.6.8 allows local attacker to retrieve passwords via reading log files. | |||
| CVE-2023-6251 | 0.00 | — | 0.00 | Nov 24, 2023 | Cross-site Request Forgery (CSRF) in Checkmk < 2.2.0p15, < 2.1.0p37, <= 2.0.0p39 allow an authenticated attacker to delete user-messages for individual users. | |||
| CVE-2023-6157 | 0.00 | — | 0.01 | Nov 22, 2023 | Improper neutralization of livestatus command delimiters in ajax_search in Checkmk <= 2.0.0p39, < 2.1.0p37, and < 2.2.0p15 allows arbitrary livestatus command execution for authorized users. | |||
| CVE-2023-6156 | 0.00 | — | 0.01 | Nov 22, 2023 | Improper neutralization of livestatus command delimiters in the availability timeline in Checkmk <= 2.0.0p39, < 2.1.0p37, and < 2.2.0p15 allows arbitrary livestatus command execution for authorized users. | |||
| CVE-2023-23549 | 0.00 | — | 0.01 | Nov 15, 2023 | Improper Input Validation in Checkmk <2.2.0p15, <2.1.0p37, <=2.0.0p39 allows priviledged attackers to cause partial denial of service of the UI via too long hostnames. | |||
| CVE-2023-31209 | 0.00 | — | 0.01 | Aug 10, 2023 | Improper neutralization of active check command arguments in Checkmk < 2.1.0p32, < 2.0.0p38, < 2.2.0p4 leads to arbitrary command execution for authenticated users. | |||
| CVE-2023-23548 | 0.00 | — | 0.00 | Aug 1, 2023 | Reflected XSS in business intelligence in Checkmk <2.2.0p8, <2.1.0p32, <2.0.0p38, <=1.6.0p30. | |||
| CVE-2023-22359 | 0.00 | — | 0.01 | Jun 26, 2023 | User enumeration in Checkmk <=2.2.0p4 allows an authenticated attacker to enumerate usernames. | |||
| CVE-2023-22348 | 0.00 | — | 0.01 | May 17, 2023 | Improper Authorization in RestAPI in Checkmk GmbH's Checkmk versions <2.1.0p28 and <2.2.0b8 allows remote authenticated users to read arbitrary host_configs. | |||
| CVE-2023-31208 | 0.00 | — | 0.01 | May 17, 2023 | Improper neutralization of livestatus command delimiters in the RestAPI in Checkmk < 2.0.0p36, < 2.1.0p28, and < 2.2.0b8 (beta) allows arbitrary livestatus command execution for authorized users. | |||
| CVE-2023-22318 | 0.00 | — | 0.01 | May 15, 2023 | Denial of service in Webconf in Tribe29 Checkmk Appliance before 1.6.5. | |||
| CVE-2023-31207 | 0.00 | — | 0.00 | May 2, 2023 | Transmission of credentials within query parameters in Checkmk <= 2.1.0p26, <= 2.0.0p35, and <= 2.2.0b6 (beta) may cause the automation user's secret to be written to the site Apache access log. | |||
| CVE-2022-46302 | 0.00 | — | 0.00 | Apr 20, 2023 | Broad access controls could allow site users to directly interact with the system Apache installation when providing the reverse proxy configurations for Tribe29's Checkmk <= 2.1.0p6, Checkmk <= 2.0.0p27, and all versions of Checkmk 1.6.0 (EOL) allowing an attacker to perform… | |||
| CVE-2023-22309 | 0.00 | — | 0.00 | Apr 20, 2023 | Reflective Cross-Site-Scripting in Webconf in Tribe29 Checkmk Appliance before 1.6.4. | |||
| CVE-2023-22294 | 0.00 | — | 0.01 | Apr 18, 2023 | Privilege escalation in Tribe29 Checkmk Appliance before 1.6.4 allows authenticated site users to escalate privileges via incorrectly set permissions. | |||
| CVE-2023-22307 | 0.00 | — | 0.00 | Apr 18, 2023 | Sensitive data exposure in Webconf in Tribe29 Checkmk Appliance before 1.6.4 allows local attacker to retrieve passwords via reading log files. | |||
| CVE-2023-2020 | 0.00 | — | 0.00 | Apr 18, 2023 | Insufficient permission checks in the REST API in Tribe29 Checkmk <= 2.1.0p27 and <= 2.2.0b4 (beta) allow unauthorized users to schedule downtimes for any host. |
- CVE-2024-38864Dec 19, 2024risk 0.00cvss —epss 0.00
Incorrect permissions on the Checkmk Windows Agent's data directory in Checkmk < 2.3.0p23, < 2.2.0p38 and <= 2.1.0p49 (EOL) allows a local attacker to read sensitive data.
- CVE-2024-47094Nov 29, 2024risk 0.00cvss —epss 0.00
Insertion of Sensitive Information into Log File in Checkmk GmbH's Checkmk versions <2.3.0p22, <2.2.0p37, <2.1.0p50 (EOL) causes remote site secrets to be written to web log files accessible to local site users.
- CVE-2024-6747Oct 10, 2024risk 0.00cvss —epss 0.00
Information leakage in mknotifyd in Checkmk before 2.3.0p18, 2.2.0p36, 2.1.0p49 and in 2.0.0p39 (EOL) allows attacker to get potentially sensitive data
- CVE-2024-38861Sep 27, 2024risk 0.00cvss —epss 0.00
Improper Certificate Validation in Checkmk Exchange plugin MikroTik allows attackers in MitM position to intercept traffic. This issue affects MikroTik: from 2.0.0 through 2.5.5, from 0.4a_mk through 2.0a.
- CVE-2024-8606Sep 23, 2024risk 0.00cvss —epss 0.00
Bypass of two factor authentication in RestAPI in Checkmk < 2.3.0p16 and < 2.2.0p34 allows authenticated users to bypass two factor authentication
- CVE-2024-38860Sep 17, 2024risk 0.00cvss —epss 0.00
Improper neutralization of input in Checkmk before versions 2.3.0p16 and 2.2.0p34 allows attackers to craft malicious links that can facilitate phishing attacks.
- CVE-2024-6572Sep 9, 2024risk 0.00cvss —epss 0.00
Improper host key checking in active check 'Check SFTP Service' and special agent 'VNX quotas and filesystem' in Checkmk before Checkmk 2.3.0p15, 2.2.0p33, 2.1.0p48 and 2.0.0 (EOL) allows man-in-the-middle attackers to intercept traffic
- CVE-2024-38858Sep 2, 2024risk 0.00cvss —epss 0.00
Improper neutralization of input in Checkmk before version 2.3.0p14 allows attackers to inject and run malicious scripts in the Robotmk logs view.
- CVE-2024-38859Aug 26, 2024risk 0.00cvss —epss 0.00
XSS in the view page with the SLA column configured in Checkmk versions prior to 2.3.0p14, 2.2.0p33, 2.1.0p47 and 2.0.0 (EOL) allowed malicious users to execute arbitrary scripts by injecting HTML elements into the SLA column title. These scripts could be executed when the view…
- CVE-2024-28829Aug 20, 2024risk 0.00cvss —epss 0.00
Least privilege violation and reliance on untrusted inputs in the mk_informix Checkmk agent plugin before Checkmk 2.3.0p12, 2.2.0p32, 2.1.0p47 and 2.0.0 (EOL) allows local users to escalate privileges.
- CVE-2024-6542Jul 22, 2024risk 0.00cvss —epss 0.00
Improper neutralization of livestatus command delimiters in mknotifyd in Checkmk <= 2.0.0p39, < 2.1.0p47, < 2.2.0p32 and < 2.3.0p11 allows arbitrary livestatus command execution.
- CVE-2024-28828Jul 10, 2024risk 0.00cvss —epss 0.00
Cross-Site request forgery in Checkmk < 2.3.0p8, < 2.2.0p29, < 2.1.0p45, and <= 2.0.0p39 (EOL) could lead to 1-click compromize of the site.
- CVE-2024-28827Jul 10, 2024risk 0.00cvss —epss 0.00
Incorrect permissions on the Checkmk Windows Agent's data directory in Checkmk < 2.3.0p8, < 2.2.0p29, < 2.1.0p45, and <= 2.0.0p39 (EOL) allows a local attacker to gain SYSTEM privileges.
- CVE-2024-6163Jul 8, 2024risk 0.00cvss —epss 0.01
Certain http endpoints of Checkmk in Checkmk < 2.3.0p10 < 2.2.0p31, < 2.1.0p46, <= 2.0.0p39 allows remote attacker to bypass authentication and access data
- CVE-2024-6052Jul 3, 2024risk 0.00cvss —epss 0.00
Stored XSS in Checkmk before versions 2.3.0p8, 2.2.0p29, 2.1.0p45, and 2.0.0 (EOL) allows users to execute arbitrary scripts by injecting HTML elements
- CVE-2024-38857Jul 2, 2024risk 0.00cvss —epss 0.00
Improper neutralization of input in Checkmk before versions 2.3.0p8, 2.2.0p28, 2.1.0p45, and 2.0.0 (EOL) allows attackers to craft malicious links that can facilitate phishing attacks.
- CVE-2024-28830Jun 26, 2024risk 0.00cvss —epss 0.00
Insertion of Sensitive Information into Log File in Checkmk GmbH's Checkmk versions <2.3.0p7, <2.2.0p28, <2.1.0p45 and <=2.0.0p39 (EOL) causes automation user secrets to be written to audit log files accessible to administrators.
- CVE-2024-28832Jun 25, 2024risk 0.00cvss —epss 0.00
Stored XSS in the Crash Report page in Checkmk before versions 2.3.0p7, 2.2.0p28, 2.1.0p45, and 2.0.0 (EOL) allows users with permission to change Global Settings to execute arbitrary scripts by injecting HTML elements into the Crash Report URL in the Global Settings.
- CVE-2024-28831Jun 25, 2024risk 0.00cvss —epss 0.00
Stored XSS in some confirmation pop-ups in Checkmk before versions 2.3.0p7 and 2.2.0p28 allows Checkmk users to execute arbitrary scripts by injecting HTML elements into some user input fields that are shown in a confirmation pop-up.
- CVE-2024-5741Jun 17, 2024risk 0.00cvss —epss 0.00
Stored XSS in inventory tree rendering in Checkmk before 2.3.0p7, 2.2.0p28, 2.1.0p45 and 2.0.0 (EOL)
- CVE-2024-28833Jun 10, 2024risk 0.00cvss —epss 0.00
Improper restriction of excessive authentication attempts with two factor authentication methods in Checkmk 2.3 before 2.3.0p6 facilitates brute-forcing of second factor mechanisms.
- CVE-2024-28826May 29, 2024risk 0.00cvss —epss 0.00
Improper restriction of local upload and download paths in check_sftp in Checkmk before 2.3.0p4, 2.2.0p27, 2.1.0p44, and in Checkmk 2.0.0 (EOL) allows attackers with sufficient permissions to configure the check to read and write local files on the Checkmk site server.
- CVE-2024-28825Apr 24, 2024risk 0.00cvss —epss 0.01
Improper restriction of excessive authentication attempts on some authentication methods in Checkmk before 2.3.0b5 (beta), 2.2.0p26, 2.1.0p43, and in Checkmk 2.0.0 (EOL) facilitates password brute-forcing.
- CVE-2024-3367Apr 16, 2024risk 0.00cvss —epss 0.00
Argument injection in websphere_mq agent plugin in Checkmk 2.0.0, 2.1.0, <2.2.0p26 and <2.3.0b5 allows local attacker to inject one argument to runmqsc
- CVE-2024-2380Apr 5, 2024risk 0.00cvss —epss 0.00
Stored XSS in graph rendering in Checkmk <2.3.0b4.
- CVE-2024-28824Mar 22, 2024risk 0.00cvss —epss 0.00
Least privilege violation and reliance on untrusted inputs in the mk_informix Checkmk agent plugin before Checkmk 2.3.0b4 (beta), 2.2.0p24, 2.1.0p41 and 2.0.0 (EOL) allows local users to escalate privileges.
- CVE-2024-1742Mar 22, 2024risk 0.00cvss —epss 0.00
Invocation of the sqlplus command with sensitive information in the command line in the mk_oracle Checkmk agent plugin before Checkmk 2.3.0b4 (beta), 2.2.0p24, 2.1.0p41 and 2.0.0 (EOL) allows the extraction of this information from the process list.
- CVE-2024-0638Mar 22, 2024risk 0.00cvss —epss 0.00
Least privilege violation in the Checkmk agent plugins mk_oracle, mk_oracle.ps1, and mk_oracle_crs before Checkmk 2.3.0b4 (beta), 2.2.0p24, 2.1.0p41 and 2.0.0 (EOL) allows local users to escalate privileges.
- CVE-2024-0670Mar 11, 2024risk 0.00cvss —epss 0.00
Privilege escalation in windows agent plugin in Checkmk before 2.2.0p23, 2.1.0p40 and 2.0.0 (EOL) allows local user to escalate privileges
- CVE-2023-6740Jan 12, 2024risk 0.00cvss —epss 0.00
Privilege escalation in jar_signature agent plugin in Checkmk before 2.2.0p18, 2.1.0p38 and 2.0.0p39 allows local user to escalate privileges
- CVE-2023-6735Jan 12, 2024risk 0.00cvss —epss 0.00
Privilege escalation in mk_tsm agent plugin in Checkmk before 2.2.0p18, 2.1.0p38 and 2.0.0p39 allows local user to escalate privileges
- CVE-2023-31211Jan 12, 2024risk 0.00cvss —epss 0.01
Insufficient authentication flow in Checkmk before 2.2.0p18, 2.1.0p38 and 2.0.0p39 allows attacker to use locked credentials
- CVE-2023-31210Dec 13, 2023risk 0.00cvss —epss 0.01
Usage of user controlled LD_LIBRARY_PATH in agent in Checkmk 2.2.0p10 up to 2.2.0p16 allows malicious Checkmk site user to escalate rights via injection of malicious libraries
- CVE-2023-6287Nov 27, 2023risk 0.00cvss —epss 0.00
Sensitive data exposure in Webconf in Tribe29 Checkmk Appliance before 1.6.8 allows local attacker to retrieve passwords via reading log files.
- CVE-2023-6251Nov 24, 2023risk 0.00cvss —epss 0.00
Cross-site Request Forgery (CSRF) in Checkmk < 2.2.0p15, < 2.1.0p37, <= 2.0.0p39 allow an authenticated attacker to delete user-messages for individual users.
- CVE-2023-6157Nov 22, 2023risk 0.00cvss —epss 0.01
Improper neutralization of livestatus command delimiters in ajax_search in Checkmk <= 2.0.0p39, < 2.1.0p37, and < 2.2.0p15 allows arbitrary livestatus command execution for authorized users.
- CVE-2023-6156Nov 22, 2023risk 0.00cvss —epss 0.01
Improper neutralization of livestatus command delimiters in the availability timeline in Checkmk <= 2.0.0p39, < 2.1.0p37, and < 2.2.0p15 allows arbitrary livestatus command execution for authorized users.
- CVE-2023-23549Nov 15, 2023risk 0.00cvss —epss 0.01
Improper Input Validation in Checkmk <2.2.0p15, <2.1.0p37, <=2.0.0p39 allows priviledged attackers to cause partial denial of service of the UI via too long hostnames.
- CVE-2023-31209Aug 10, 2023risk 0.00cvss —epss 0.01
Improper neutralization of active check command arguments in Checkmk < 2.1.0p32, < 2.0.0p38, < 2.2.0p4 leads to arbitrary command execution for authenticated users.
- CVE-2023-23548Aug 1, 2023risk 0.00cvss —epss 0.00
Reflected XSS in business intelligence in Checkmk <2.2.0p8, <2.1.0p32, <2.0.0p38, <=1.6.0p30.
- CVE-2023-22359Jun 26, 2023risk 0.00cvss —epss 0.01
User enumeration in Checkmk <=2.2.0p4 allows an authenticated attacker to enumerate usernames.
- CVE-2023-22348May 17, 2023risk 0.00cvss —epss 0.01
Improper Authorization in RestAPI in Checkmk GmbH's Checkmk versions <2.1.0p28 and <2.2.0b8 allows remote authenticated users to read arbitrary host_configs.
- CVE-2023-31208May 17, 2023risk 0.00cvss —epss 0.01
Improper neutralization of livestatus command delimiters in the RestAPI in Checkmk < 2.0.0p36, < 2.1.0p28, and < 2.2.0b8 (beta) allows arbitrary livestatus command execution for authorized users.
- CVE-2023-22318May 15, 2023risk 0.00cvss —epss 0.01
Denial of service in Webconf in Tribe29 Checkmk Appliance before 1.6.5.
- CVE-2023-31207May 2, 2023risk 0.00cvss —epss 0.00
Transmission of credentials within query parameters in Checkmk <= 2.1.0p26, <= 2.0.0p35, and <= 2.2.0b6 (beta) may cause the automation user's secret to be written to the site Apache access log.
- CVE-2022-46302Apr 20, 2023risk 0.00cvss —epss 0.00
Broad access controls could allow site users to directly interact with the system Apache installation when providing the reverse proxy configurations for Tribe29's Checkmk <= 2.1.0p6, Checkmk <= 2.0.0p27, and all versions of Checkmk 1.6.0 (EOL) allowing an attacker to perform…
- CVE-2023-22309Apr 20, 2023risk 0.00cvss —epss 0.00
Reflective Cross-Site-Scripting in Webconf in Tribe29 Checkmk Appliance before 1.6.4.
- CVE-2023-22294Apr 18, 2023risk 0.00cvss —epss 0.01
Privilege escalation in Tribe29 Checkmk Appliance before 1.6.4 allows authenticated site users to escalate privileges via incorrectly set permissions.
- CVE-2023-22307Apr 18, 2023risk 0.00cvss —epss 0.00
Sensitive data exposure in Webconf in Tribe29 Checkmk Appliance before 1.6.4 allows local attacker to retrieve passwords via reading log files.
- CVE-2023-2020Apr 18, 2023risk 0.00cvss —epss 0.00
Insufficient permission checks in the REST API in Tribe29 Checkmk <= 2.1.0p27 and <= 2.2.0b4 (beta) allow unauthorized users to schedule downtimes for any host.
Page 2 of 3