cpe:2.3:a:tribe29:checkmk:1.6.0:b3:*:*:*:*:*:*
Least privilege violation and reliance on untrusted inputs in the mk_informix Checkmk agent plugin before Checkmk 2.3.0b4 (beta), 2.2.0p24, 2.1.0p41 and 2.0.0 (EOL) allows local users to escalate privileges.
Max CVSS
8.8
EPSS Score
0.04%
Published
2024-03-22
Updated
2024-03-22
Invocation of the sqlplus command with sensitive information in the command line in the mk_oracle Checkmk agent plugin before Checkmk 2.3.0b4 (beta), 2.2.0p24, 2.1.0p41 and 2.0.0 (EOL) allows the extraction of this information from the process list.
Max CVSS
3.8
EPSS Score
0.04%
Published
2024-03-22
Updated
2024-03-22
Least privilege violation in the Checkmk agent plugins mk_oracle, mk_oracle.ps1, and mk_oracle_crs before Checkmk 2.3.0b4 (beta), 2.2.0p24, 2.1.0p41 and 2.0.0 (EOL) allows local users to escalate privileges.
Max CVSS
8.2
EPSS Score
0.04%
Published
2024-03-22
Updated
2024-03-22
Insufficient authentication flow in Checkmk before 2.2.0p18, 2.1.0p38 and 2.0.0p39 allows attacker to use locked credentials
Max CVSS
8.8
EPSS Score
0.05%
Published
2024-01-12
Updated
2024-01-19
Improper neutralization of active check command arguments in Checkmk < 2.1.0p32, < 2.0.0p38, < 2.2.0p4 leads to arbitrary command execution for authenticated users.
Max CVSS
8.8
EPSS Score
0.05%
Published
2023-08-10
Updated
2023-08-17
Improper neutralization of livestatus command delimiters in the RestAPI in Checkmk < 2.0.0p36, < 2.1.0p28, and < 2.2.0b8 (beta) allows arbitrary livestatus command execution for authorized users.
Max CVSS
8.8
EPSS Score
0.08%
Published
2023-05-17
Updated
2023-05-26
Reflected XSS in business intelligence in Checkmk <2.2.0p8, <2.1.0p32, <2.0.0p38, <=1.6.0p30.
Max CVSS
6.1
EPSS Score
0.05%
Published
2023-08-01
Updated
2023-08-04
Improper Authorization in RestAPI in Checkmk GmbH's Checkmk versions <2.1.0p28 and <2.2.0b8 allows remote authenticated users to read arbitrary host_configs.
Max CVSS
4.3
EPSS Score
0.06%
Published
2023-05-17
Updated
2023-05-25
Privilege escalation in Tribe29 Checkmk Appliance before 1.6.4 allows authenticated site users to escalate privileges via incorrectly set permissions.
Max CVSS
8.8
EPSS Score
0.05%
Published
2023-04-18
Updated
2023-04-27
HTML Email Injection in Tribe29 Checkmk <=2.1.0p23; <=2.0.0p34, and all versions of Checkmk 1.6.0 allows an authenticated attacker to inject malicious HTML into Emails
Max CVSS
5.4
EPSS Score
0.05%
Published
2023-03-20
Updated
2023-03-23
Privilege escalation in jar_signature agent plugin in Checkmk before 2.2.0p18, 2.1.0p38 and 2.0.0p39 allows local user to escalate privileges
Max CVSS
8.8
EPSS Score
0.04%
Published
2024-01-12
Updated
2024-01-19
Privilege escalation in mk_tsm agent plugin in Checkmk before 2.2.0p18, 2.1.0p38 and 2.0.0p39 allows local user to escalate privileges
Max CVSS
8.8
EPSS Score
0.04%
Published
2024-01-12
Updated
2024-01-19
Inappropriate error handling in Tribe29 Checkmk <= 2.1.0p25, <= 2.0.0p34, <= 2.2.0b3 (beta), and all versions of Checkmk 1.6.0 causes the symmetric encryption of agent data to fail silently and transmit the data in plaintext in certain configurations.
Max CVSS
5.3
EPSS Score
0.05%
Published
2023-04-04
Updated
2023-04-11
Improper Input Validation of LDAP user IDs in Tribe29 Checkmk allows attackers that can control LDAP user IDs to manipulate files on the server. Checkmk <= 2.1.0p19, Checkmk <= 2.0.0p32, and all versions of Checkmk 1.6.0 (EOL) are affected.
Max CVSS
8.1
EPSS Score
0.07%
Published
2023-01-26
Updated
2023-02-06
Cross-site Request Forgery (CSRF) in Tribe29's Checkmk <= 2.1.0p17, Checkmk <= 2.0.0p31, and all versions of Checkmk 1.6.0 (EOL) allow an attacker to add new visual elements to multiple pages.
Max CVSS
5.4
EPSS Score
0.05%
Published
2023-02-20
Updated
2023-03-02
Sensitive host secret disclosed in cmk-update-agent.log file in Tribe29's Checkmk <= 2.1.0p13, Checkmk <= 2.0.0p29, and all versions of Checkmk 1.6.0 (EOL) allows an attacker to gain access to the host secret through the unprotected agent updater log file.
Max CVSS
6.5
EPSS Score
0.04%
Published
2023-02-20
Updated
2023-03-03
Livestatus Query Language (LQL) injection in the AuthUser HTTP query header of Tribe29's Checkmk <= 2.1.0p11, Checkmk <= 2.0.0p28, and all versions of Checkmk 1.6.0 (EOL) allows an attacker to perform direct queries to the application's core from localhost.
Max CVSS
7.8
EPSS Score
0.04%
Published
2023-02-20
Updated
2023-12-21
PHP code injection in watolib auth.php and hosttags.php in Tribe29's Checkmk <= 2.1.0p10, Checkmk <= 2.0.0p27, and Checkmk <= 1.6.0p29 allows an attacker to inject and execute PHP code which will be executed upon request of the vulnerable component.
Max CVSS
9.1
EPSS Score
0.07%
Published
2023-02-20
Updated
2023-12-21
Command injection in SMS notifications in Tribe29 Checkmk <= 2.1.0p10, Checkmk <= 2.0.0p27, and Checkmk <= 1.6.0p29 allows an attacker with User Management permissions, as well as LDAP administrators in certain scenarios, to perform arbitrary commands within the context of the application's local permissions.
Max CVSS
8.0
EPSS Score
0.11%
Published
2023-02-20
Updated
2023-06-23
Broad access controls could allow site users to directly interact with the system Apache installation when providing the reverse proxy configurations for Tribe29's Checkmk <= 2.1.0p6, Checkmk <= 2.0.0p27, and all versions of Checkmk 1.6.0 (EOL) allowing an attacker to perform remote code execution with root privileges on the underlying host.
Max CVSS
8.8
EPSS Score
0.05%
Published
2023-04-20
Updated
2023-05-04
Uncontrolled Search Path Element in Checkmk Agent in Tribe29 Checkmk before 2.1.0p1, before 2.0.0p25 and before 1.6.0p29 on a Checkmk server allows the site user to escalate privileges via a manipulated unixcat executable
Max CVSS
8.8
EPSS Score
0.04%
Published
2023-02-09
Updated
2023-02-16
A permission issue affects users that deployed the shipped version of the Checkmk Debian package. Packages created by the agent bakery (enterprise editions only) were not affected. Using the shipped version of the agents, the maintainer scripts located at /var/lib/dpkg/info/ will be owned by the user and the group with ID 1001. If such a user exists on the system, they can change the content of these files (which are then executed by root). This leads to a local privilege escalation on the monitored host. Version 1.6 through 1.6.9p29, version 2.0 through 2.0.0p26, version 2.1 through 2.1.0p3, and version 2.2.0i1 are affected.
Max CVSS
7.8
EPSS Score
0.04%
Published
2022-06-17
Updated
2022-06-28
In Checkmk before 1.6.0p29, 2.x before 2.0.0p25, and 2.1.x before 2.1.0b10, a site user can escalate to root by editing an OMD hook symlink.
Max CVSS
8.2
EPSS Score
0.04%
Published
2022-05-20
Updated
2022-06-07
In Checkmk <=2.0.0p19 fixed in 2.0.0p20 and Checkmk <=1.6.0p27 fixed in 1.6.0p28, the title of a Predefined condition is not properly escaped when shown as condition, which can result in Cross Site Scripting (XSS).
Max CVSS
5.4
EPSS Score
0.05%
Published
2022-02-24
Updated
2022-03-02
Checkmk <=2.0.0p19 Fixed in 2.0.0p20 and Checkmk <=1.6.0p27 Fixed in 1.6.0p28 are affected by a Cross Site Scripting (XSS) vulnerability. The Alias of a site was not properly escaped when shown as condition for notifications.
Max CVSS
5.4
EPSS Score
0.05%
Published
2022-02-24
Updated
2022-03-02
28 vulnerabilities found
1 2
This web site uses cookies for managing your session, storing preferences, website analytics and additional purposes described in our privacy policy.
By using this web site you are agreeing to CVEdetails.com terms of use!