Vulnerabilities > Tribe29 > Medium
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2024-01-12 | CVE-2023-31211 | Always-Incorrect Control Flow Implementation vulnerability in multiple products Insufficient authentication flow in Checkmk before 2.2.0p18, 2.1.0p38 and 2.0.0p39 allows attacker to use locked credentials | 6.5 |
| 2023-11-27 | CVE-2023-6287 | Information Exposure Through Log Files vulnerability in Tribe29 Checkmk Appliance Firmware Sensitive data exposure in Webconf in Tribe29 Checkmk Appliance before 1.6.8 allows local attacker to retrieve passwords via reading log files. | 5.5 |
| 2023-05-17 | CVE-2023-22348 | Improper Authorization in RestAPI in Checkmk GmbH's Checkmk versions <2.1.0p28 and <2.2.0b8 allows remote authenticated users to read arbitrary host_configs. | 4.3 |
| 2023-04-20 | CVE-2023-22309 | Cross-site Scripting vulnerability in Tribe29 Checkmk Appliance Firmware Reflective Cross-Site-Scripting in Webconf in Tribe29 Checkmk Appliance before 1.6.4. | 6.1 |
| 2023-04-18 | CVE-2023-22307 | Exposure of Resource to Wrong Sphere vulnerability in Tribe29 Checkmk Appliance Firmware Sensitive data exposure in Webconf in Tribe29 Checkmk Appliance before 1.6.4 allows local attacker to retrieve passwords via reading log files. | 5.5 |
| 2023-04-04 | CVE-2023-1768 | Inappropriate error handling in Tribe29 Checkmk <= 2.1.0p25, <= 2.0.0p34, <= 2.2.0b3 (beta), and all versions of Checkmk 1.6.0 causes the symmetric encryption of agent data to fail silently and transmit the data in plaintext in certain configurations. | 5.3 |
| 2023-03-20 | CVE-2023-22288 | Cross-site Scripting vulnerability in multiple products HTML Email Injection in Tribe29 Checkmk <=2.1.0p23; <=2.0.0p34, and all versions of Checkmk 1.6.0 allows an authenticated attacker to inject malicious HTML into Emails | 5.4 |
| 2022-05-20 | CVE-2022-31258 | Link Following vulnerability in multiple products In Checkmk before 1.6.0p29, 2.x before 2.0.0p25, and 2.1.x before 2.1.0b10, a site user can escalate to root by editing an OMD hook symlink. | 6.7 |
| 2022-03-25 | CVE-2021-40906 | Cross-site Scripting vulnerability in multiple products CheckMK Raw Edition software (versions 1.5.0 to 1.6.0) does not sanitise the input of a web service parameter that is in an unauthenticated zone. | 6.1 |