{"id":"CVE-2017-11507","details":"A cross site scripting (XSS) vulnerability exists in Check_MK versions 1.2.8x prior to 1.2.8p25 and 1.4.0x prior to 1.4.0p9, allowing an unauthenticated attacker to inject arbitrary HTML or JavaScript via the output_format parameter, and the username parameter of failed HTTP basic authentication attempts, which is returned unencoded in an internal server error page.","modified":"2026-04-10T04:35:46.824291Z","published":"2017-12-11T16:29:00.203Z","references":[{"type":"ADVISORY","url":"http://mathias-kettner.com/check_mk_werks.php?werk_id=7661"},{"type":"EVIDENCE","url":"https://www.tenable.com/security/research/tra-2017-20"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/tribe29/checkmk","events":[{"introduced":"0"},{"last_affected":"43a36d6f930612dddca5f389212004b50c663e30"},{"introduced":"0"},{"last_affected":"951ef0f3251db139b1630954f529076de68f2e45"},{"introduced":"0"},{"last_affected":"a5387f48d2c8d75dcf5913991fa6368beb1547db"},{"introduced":"0"},{"last_affected":"9c96426d4a9ba19e56b0a7c89046b52a190491f2"},{"introduced":"0"},{"last_affected":"047bb3e7dedd2c42fb773883e34b04578c84b47f"},{"introduced":"0"},{"last_affected":"7c878ef940aeffc33580f73773eb1faf485b2c65"},{"introduced":"0"},{"last_affected":"4a2fb425774fbdbfd0539c283c60c4e0fc16c041"},{"introduced":"0"},{"last_affected":"dbcaa28f8a56538404167315640f61787f82ab40"},{"introduced":"0"},{"last_affected":"0c160e4c91b176074a6ea50472cf67c2fbd4c8d8"},{"introduced":"0"},{"last_affected":"2473fb54370651ea994b804a5f41beead9fee745"},{"introduced":"0"},{"last_affected":"c1da9b0460ba8a04db25091676793a421c305b78"},{"introduced":"0"},{"last_affected":"c169bb24ec1bd0b9b3e31cfdea971ebf8b85f5cb"},{"introduced":"0"},{"last_affected":"951ef0f3251db139b1630954f529076de68f2e45"},{"introduced":"0"},{"last_affected":"a5387f48d2c8d75dcf5913991fa6368beb1547db"},{"introduced":"0"},{"last_affected":"9c96426d4a9ba19e56b0a7c89046b52a190491f2"},{"introduced":"0"},{"last_affected":"3c29aef2d31dc88288d13fa393a7d42d2e8aa986"},{"introduced":"0"},{"last_affected":"c38313c695ad15013d1629778d52f137466183dd"},{"introduced":"0"},{"last_affected":"37daaffaf5d5d5e7fce84ac8576058f59bc65c6c"},{"introduced":"0"},{"last_affected":"b1a95330a8b75fdddc4e18e8450ad7bfadc28b25"},{"introduced":"0"},{"last_affected":"accce2f1029ba750f914699bd5c6db0334ed1069"},{"introduced":"0"},{"last_affected":"a33ce3201a7e1d8379d8cb1500d0c40f8527b6d9"},{"introduced":"0"},{"last_affected":"bdbf9d6f199d66ead89d8b74f2cc2a0e0c52d4ca"},{"introduced":"0"},{"last_affected":"5a48e8f68b4b8e22e7dc15125ac01b2e818df6b0"},{"introduced":"0"},{"last_affected":"047bb3e7dedd2c42fb773883e34b04578c84b47f"},{"introduced":"0"},{"last_affected":"b2cebe33687c214d5a5decb26b7a489b4ffdf0c8"},{"introduced":"0"},{"last_affected":"e48c02484ddce8f9af91fbdfea9d7f83b2e1fc68"},{"introduced":"0"},{"last_affected":"99f0a015d773a26af6a6fd71521a1d402e02892f"},{"introduced":"0"},{"last_affected":"d90ec721c3e3310181439b3ff0ef72d1199339cc"},{"introduced":"0"},{"last_affected":"7b96b1be4a4c7e8234ba11731f8c4bba5660a036"},{"introduced":"0"},{"last_affected":"7587c8acc9c3c1dd4913eb832e32149c507efc66"},{"introduced":"0"},{"last_affected":"7c878ef940aeffc33580f73773eb1faf485b2c65"},{"introduced":"0"},{"last_affected":"4a2fb425774fbdbfd0539c283c60c4e0fc16c041"},{"introduced":"0"},{"last_affected":"dbcaa28f8a56538404167315640f61787f82ab40"},{"introduced":"0"},{"last_affected":"0c160e4c91b176074a6ea50472cf67c2fbd4c8d8"},{"introduced":"0"},{"last_affected":"2473fb54370651ea994b804a5f41beead9fee745"},{"introduced":"0"},{"last_affected":"c1da9b0460ba8a04db25091676793a421c305b78"},{"introduced":"0"},{"last_affected":"c169bb24ec1bd0b9b3e31cfdea971ebf8b85f5cb"},{"introduced":"0"},{"last_affected":"3144d0a38c9ff1b290ae6f4489c5df34a2daaf65"},{"introduced":"0"},{"last_affected":"dd45ab44d88b2a38ec9e37e6d19fec999312fabb"},{"introduced":"0"},{"last_affected":"1d698351348d44f9d6fc8fb544e27512f649ec5c"},{"introduced":"0"},{"last_affected":"eef06912863fa3c80ed61721e9df1f4c16fd45de"},{"introduced":"0"},{"last_affected":"a688860baea6809d303bc7dc4c833b48ecc1f4e0"},{"introduced":"0"},{"last_affected":"b2fba42409c49b7ac589ce84301ce659b9373349"},{"introduced":"0"},{"last_affected":"1b5a7662e6e7020bc8078156fc5cc31080ca95e1"},{"introduced":"0"},{"last_affected":"93c708f9b40ec66ea6420689e2028e299023ffb9"},{"introduced":"0"},{"last_affected":"922e81cd68fcf1f4b9db6c829c1483377c5795d5"},{"introduced":"0"},{"last_affected":"2c508a7e8192d1335d8ea4b90ad9bad8f842a607"},{"introduced":"0"},{"last_affected":"dd45ab44d88b2a38ec9e37e6d19fec999312fabb"},{"introduced":"0"},{"last_affected":"1d698351348d44f9d6fc8fb544e27512f649ec5c"},{"introduced":"0"},{"last_affected":"eef06912863fa3c80ed61721e9df1f4c16fd45de"},{"introduced":"0"},{"last_affected":"a688860baea6809d303bc7dc4c833b48ecc1f4e0"},{"introduced":"0"},{"last_affected":"b2fba42409c49b7ac589ce84301ce659b9373349"},{"introduced":"0"},{"last_affected":"1b5a7662e6e7020bc8078156fc5cc31080ca95e1"},{"introduced":"0"},{"last_affected":"93c708f9b40ec66ea6420689e2028e299023ffb9"},{"introduced":"0"},{"last_affected":"922e81cd68fcf1f4b9db6c829c1483377c5795d5"},{"introduced":"0"},{"last_affected":"2c508a7e8192d1335d8ea4b90ad9bad8f842a607"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"1.2.8"},{"introduced":"0"},{"last_affected":"1.2.8-b1"},{"introduced":"0"},{"last_affected":"1.2.8-b10"},{"introduced":"0"},{"last_affected":"1.2.8-b11"},{"introduced":"0"},{"last_affected":"1.2.8-b2"},{"introduced":"0"},{"last_affected":"1.2.8-b3"},{"introduced":"0"},{"last_affected":"1.2.8-b4"},{"introduced":"0"},{"last_affected":"1.2.8-b5"},{"introduced":"0"},{"last_affected":"1.2.8-b6"},{"introduced":"0"},{"last_affected":"1.2.8-b7"},{"introduced":"0"},{"last_affected":"1.2.8-b8"},{"introduced":"0"},{"last_affected":"1.2.8-b9"},{"introduced":"0"},{"last_affected":"1.2.8-p1"},{"introduced":"0"},{"last_affected":"1.2.8-p10"},{"introduced":"0"},{"last_affected":"1.2.8-p11"},{"introduced":"0"},{"last_affected":"1.2.8-p12"},{"introduced":"0"},{"last_affected":"1.2.8-p13"},{"introduced":"0"},{"last_affected":"1.2.8-p14"},{"introduced":"0"},{"last_affected":"1.2.8-p15"},{"introduced":"0"},{"last_affected":"1.2.8-p16"},{"introduced":"0"},{"last_affected":"1.2.8-p17"},{"introduced":"0"},{"last_affected":"1.2.8-p18"},{"introduced":"0"},{"last_affected":"1.2.8-p19"},{"introduced":"0"},{"last_affected":"1.2.8-p2"},{"introduced":"0"},{"last_affected":"1.2.8-p20"},{"introduced":"0"},{"last_affected":"1.2.8-p21"},{"introduced":"0"},{"last_affected":"1.2.8-p22"},{"introduced":"0"},{"last_affected":"1.2.8-p23"},{"introduced":"0"},{"last_affected":"1.2.8-p24"},{"introduced":"0"},{"last_affected":"1.2.8-p25"},{"introduced":"0"},{"last_affected":"1.2.8-p3"},{"introduced":"0"},{"last_affected":"1.2.8-p4"},{"introduced":"0"},{"last_affected":"1.2.8-p5"},{"introduced":"0"},{"last_affected":"1.2.8-p6"},{"introduced":"0"},{"last_affected":"1.2.8-p7"},{"introduced":"0"},{"last_affected":"1.2.8-p8"},{"introduced":"0"},{"last_affected":"1.2.8-p9"},{"introduced":"0"},{"last_affected":"1.4.0"},{"introduced":"0"},{"last_affected":"1.4.0-b1"},{"introduced":"0"},{"last_affected":"1.4.0-b2"},{"introduced":"0"},{"last_affected":"1.4.0-b3"},{"introduced":"0"},{"last_affected":"1.4.0-b4"},{"introduced":"0"},{"last_affected":"1.4.0-b5"},{"introduced":"0"},{"last_affected":"1.4.0-b6"},{"introduced":"0"},{"last_affected":"1.4.0-b7"},{"introduced":"0"},{"last_affected":"1.4.0-b8"},{"introduced":"0"},{"last_affected":"1.4.0-b9"},{"introduced":"0"},{"last_affected":"1.4.0-p1"},{"introduced":"0"},{"last_affected":"1.4.0-p2"},{"introduced":"0"},{"last_affected":"1.4.0-p3"},{"introduced":"0"},{"last_affected":"1.4.0-p4"},{"introduced":"0"},{"last_affected":"1.4.0-p5"},{"introduced":"0"},{"last_affected":"1.4.0-p6"},{"introduced":"0"},{"last_affected":"1.4.0-p7"},{"introduced":"0"},{"last_affected":"1.4.0-p8"},{"introduced":"0"},{"last_affected":"1.4.0-p9"}]}}],"versions":["v1.1.0","v1.1.10","v1.1.10b1","v1.1.10b2","v1.1.11i1","v1.1.11i2","v1.1.11i3","v1.1.13i2","v1.1.13i3","v1.1.2","v1.1.3","v1.1.4","v1.1.6","v1.1.6b2","v1.1.7i2","v1.1.7i3","v1.1.7i4","v1.1.7i5","v1.1.8","v1.1.8b1","v1.1.8b2","v1.1.8b3","v1.1.9i1","v1.1.9i3","v1.1.9i4","v1.1.9i5","v1.1.9i7","v1.1.9i8","v1.1.9i9","v1.2.0b2","v1.2.0b3","v1.2.0b4","v1.2.0p1","v1.2.1i5","v1.2.3i4","v1.2.3i5","v1.2.3i6","v1.2.5i1","v1.2.5i6","v1.2.8","v1.2.8b1","v1.2.8b10","v1.2.8b11","v1.2.8b12","v1.2.8b13","v1.2.8b2","v1.2.8b3","v1.2.8b4","v1.2.8b5","v1.2.8b6","v1.2.8b7","v1.2.8b8","v1.2.8b9","v1.2.8p1","v1.2.8p10","v1.2.8p11","v1.2.8p12","v1.2.8p13","v1.2.8p14","v1.2.8p15","v1.2.8p16","v1.2.8p17","v1.2.8p18","v1.2.8p19","v1.2.8p2","v1.2.8p20","v1.2.8p21","v1.2.8p22","v1.2.8p23","v1.2.8p24","v1.2.8p25","v1.2.8p3","v1.2.8p4","v1.2.8p5","v1.2.8p6","v1.2.8p7","v1.2.8p8","v1.2.8p9","v1.4.0","v1.4.0b1","v1.4.0b2","v1.4.0b3","v1.4.0b4","v1.4.0b5","v1.4.0b6","v1.4.0b7","v1.4.0b8","v1.4.0i1","v1.4.0i2","v1.4.0i3","v1.4.0p1","v1.4.0p2","v1.4.0p3","v1.4.0p4","v1.4.0p5","v1.4.0p6","v1.4.0p7","v1.4.0p8","v1.4.0p9"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2017-11507.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"}]}