Vulnerabilities > Checkmk > Medium
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2023-04-18 | CVE-2023-2020 | Incorrect Authorization vulnerability in Checkmk 2.1.0/2.2.0 Insufficient permission checks in the REST API in Tribe29 Checkmk <= 2.1.0p27 and <= 2.2.0b4 (beta) allow unauthorized users to schedule downtimes for any host. | 4.3 |
| 2023-04-04 | CVE-2023-1768 | Inappropriate error handling in Tribe29 Checkmk <= 2.1.0p25, <= 2.0.0p34, <= 2.2.0b3 (beta), and all versions of Checkmk 1.6.0 causes the symmetric encryption of agent data to fail silently and transmit the data in plaintext in certain configurations. | 5.3 |
| 2023-03-20 | CVE-2023-22288 | Cross-site Scripting vulnerability in multiple products HTML Email Injection in Tribe29 Checkmk <=2.1.0p23; <=2.0.0p34, and all versions of Checkmk 1.6.0 allows an authenticated attacker to inject malicious HTML into Emails | 5.4 |
| 2023-02-20 | CVE-2022-48318 | Missing Authorization vulnerability in Checkmk 2.0.0/2.1.0 No authorisation controls in the RestAPI documentation for Tribe29's Checkmk <= 2.1.0p13 and Checkmk <= 2.0.0p29 which may lead to unintended information disclosure through automatically generated user specific tags within Rest API documentation. | 5.3 |
| 2023-02-20 | CVE-2022-48319 | Information Exposure Through Log Files vulnerability in Checkmk 2.0.0/2.1.0 Sensitive host secret disclosed in cmk-update-agent.log file in Tribe29's Checkmk <= 2.1.0p13, Checkmk <= 2.0.0p29, and all versions of Checkmk 1.6.0 (EOL) allows an attacker to gain access to the host secret through the unprotected agent updater log file. | 5.5 |
| 2023-02-20 | CVE-2022-48320 | Cross-Site Request Forgery (CSRF) vulnerability in Checkmk 2.0.0/2.1.0 Cross-site Request Forgery (CSRF) in Tribe29's Checkmk <= 2.1.0p17, Checkmk <= 2.0.0p31, and all versions of Checkmk 1.6.0 (EOL) allow an attacker to add new visual elements to multiple pages. | 4.3 |
| 2023-01-09 | CVE-2022-4884 | Path Traversal vulnerability in Checkmk 2.0.0/2.1.0 Path-Traversal in MKP storing in Tribe29 Checkmk <=2.0.0p32 and <= 2.1.0p18 allows an administrator to write mkp files to arbitrary locations via a malicious mkp file. | 4.9 |
| 2022-05-20 | CVE-2022-31258 | Link Following vulnerability in multiple products In Checkmk before 1.6.0p29, 2.x before 2.0.0p25, and 2.1.x before 2.1.0b10, a site user can escalate to root by editing an OMD hook symlink. | 6.7 |
| 2022-03-25 | CVE-2021-40906 | Cross-site Scripting vulnerability in multiple products CheckMK Raw Edition software (versions 1.5.0 to 1.6.0) does not sanitise the input of a web service parameter that is in an unauthenticated zone. | 6.1 |
| 2022-02-24 | CVE-2022-24565 | Cross-site Scripting vulnerability in Checkmk 1.6.0/2.0.0 Checkmk <=2.0.0p19 Fixed in 2.0.0p20 and Checkmk <=1.6.0p27 Fixed in 1.6.0p28 are affected by a Cross Site Scripting (XSS) vulnerability. | 5.4 |