{"id":"CVE-2020-28919","details":"A stored cross site scripting (XSS) vulnerability in Checkmk 1.6.0x prior to 1.6.0p19 allows an authenticated remote attacker to inject arbitrary JavaScript via a javascript: URL in a view title.","modified":"2026-04-10T04:26:46.328570Z","published":"2022-01-15T17:15:08.283Z","references":[{"type":"ADVISORY","url":"https://checkmk.com/check_mk-werks.php?werk_id=11501"},{"type":"FIX","url":"https://github.com/tribe29/checkmk/commit/c00f450f884d8a229b7d8ab3f0452ed802a1ae04"},{"type":"FIX","url":"https://github.com/tribe29/checkmk/commit/e7fd8e4c90be490e4293ec91804d00ec01af5ca6"},{"type":"EVIDENCE","url":"https://emacsninja.com/posts/cve-2020-28919-stored-xss-in-checkmk-160p18.html"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/checkmk/checkmk","events":[{"introduced":"0"},{"last_affected":"d5ccd5ecc956e665aca80f3c486f7fa46f409424"},{"introduced":"0"},{"last_affected":"04813a13c6522da99028a99cb99505757808497b"},{"introduced":"0"},{"last_affected":"515532647e2ed9711109eda47bba60ab9ef44d77"},{"introduced":"0"},{"last_affected":"2a2ec677a31f9cfa5c00692b64654031c3da2a08"},{"introduced":"0"},{"last_affected":"23c0d61b54a817b4c0a1a23f301b4e1c2833a7b1"},{"introduced":"0"},{"last_affected":"6e04fbc04d3ce031ee3b91dc51fe61df1215ab22"},{"introduced":"0"},{"last_affected":"ba29b0f10d16be2f8513ecd6566f53d508f9fe02"},{"introduced":"0"},{"last_affected":"2c7990e82af4fff30379472838eb5b9ef0ebfa7a"},{"introduced":"0"},{"last_affected":"04813a13c6522da99028a99cb99505757808497b"},{"introduced":"0"},{"last_affected":"515532647e2ed9711109eda47bba60ab9ef44d77"},{"introduced":"0"},{"last_affected":"53649df3184e97b930e8d1dbf7a248e6cb28c21c"},{"introduced":"0"},{"last_affected":"2a2ec677a31f9cfa5c00692b64654031c3da2a08"},{"introduced":"0"},{"last_affected":"bef7153bb05de7a9335a5534edf4d49484c26b98"},{"introduced":"0"},{"last_affected":"c2173ab296c8df943f2b899d2b9beb6a00bab5bd"},{"introduced":"0"},{"last_affected":"d212d3a2692868ea916c37841afa65f4fa07d998"},{"introduced":"0"},{"last_affected":"9d5d264e9fcd0da62d13dbf6decbf7b84ccd86f9"},{"introduced":"0"},{"last_affected":"f4b77018749689779d96b5ae77966cbda916dc52"},{"introduced":"0"},{"last_affected":"604cfaf085d561ecef8e0326187d66bb63b97714"},{"introduced":"0"},{"last_affected":"6c8700b14ba358e91632103a4270b7c49a54e2b8"},{"introduced":"0"},{"last_affected":"23c0d61b54a817b4c0a1a23f301b4e1c2833a7b1"},{"introduced":"0"},{"last_affected":"6e04fbc04d3ce031ee3b91dc51fe61df1215ab22"},{"introduced":"0"},{"last_affected":"ba29b0f10d16be2f8513ecd6566f53d508f9fe02"},{"introduced":"0"},{"last_affected":"fc1eb156035f9941aae400258ef96e77b9c2bef9"},{"introduced":"0"},{"last_affected":"cf11a87326ca17bc321064280763dede1febda7f"},{"introduced":"0"},{"last_affected":"370fedb12335d97dfdec344e4b15bbb489c72b20"},{"introduced":"0"},{"last_affected":"2c7990e82af4fff30379472838eb5b9ef0ebfa7a"},{"fixed":"c00f450f884d8a229b7d8ab3f0452ed802a1ae04"},{"fixed":"e7fd8e4c90be490e4293ec91804d00ec01af5ca6"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"1.6.0-NA"},{"introduced":"0"},{"last_affected":"1.6.0-b1"},{"introduced":"0"},{"last_affected":"1.6.0-b10"},{"introduced":"0"},{"last_affected":"1.6.0-b12"},{"introduced":"0"},{"last_affected":"1.6.0-b3"},{"introduced":"0"},{"last_affected":"1.6.0-b4"},{"introduced":"0"},{"last_affected":"1.6.0-b5"},{"introduced":"0"},{"last_affected":"1.6.0-b9"},{"introduced":"0"},{"last_affected":"1.6.0-p1"},{"introduced":"0"},{"last_affected":"1.6.0-p10"},{"introduced":"0"},{"last_affected":"1.6.0-p11"},{"introduced":"0"},{"last_affected":"1.6.0-p12"},{"introduced":"0"},{"last_affected":"1.6.0-p13"},{"introduced":"0"},{"last_affected":"1.6.0-p14"},{"introduced":"0"},{"last_affected":"1.6.0-p15"},{"introduced":"0"},{"last_affected":"1.6.0-p16"},{"introduced":"0"},{"last_affected":"1.6.0-p17"},{"introduced":"0"},{"last_affected":"1.6.0-p18"},{"introduced":"0"},{"last_affected":"1.6.0-p2"},{"introduced":"0"},{"last_affected":"1.6.0-p3"},{"introduced":"0"},{"last_affected":"1.6.0-p4"},{"introduced":"0"},{"last_affected":"1.6.0-p5"},{"introduced":"0"},{"last_affected":"1.6.0-p6"},{"introduced":"0"},{"last_affected":"1.6.0-p7"},{"introduced":"0"},{"last_affected":"1.6.0-p8"},{"introduced":"0"},{"last_affected":"1.6.0-p9"}]}}],"versions":["1.1.0beta17","v1.1.0","v1.1.10","v1.1.10b1","v1.1.10b2","v1.1.11i1","v1.1.11i2","v1.1.11i3","v1.1.13i2","v1.1.13i3","v1.1.2","v1.1.3","v1.1.4","v1.1.6","v1.1.6b2","v1.1.7i2","v1.1.7i3","v1.1.7i4","v1.1.7i5","v1.1.8","v1.1.8b1","v1.1.8b2","v1.1.8b3","v1.1.9i1","v1.1.9i3","v1.1.9i4","v1.1.9i5","v1.1.9i7","v1.1.9i8","v1.1.9i9","v1.2.0b2","v1.2.0b3","v1.2.0b4","v1.2.0p1","v1.2.1i5","v1.2.3i4","v1.2.3i5","v1.2.3i6","v1.2.5i1","v1.2.5i6","v1.4.0i1","v1.4.0i2","v1.4.0i3","v1.5.0i1","v1.5.0i2","v1.5.0i3","v1.6.0","v1.6.0b1","v1.6.0b10","v1.6.0b11","v1.6.0b2","v1.6.0b3","v1.6.0b4","v1.6.0b5","v1.6.0b6","v1.6.0b7","v1.6.0b8","v1.6.0b9","v1.6.0p1","v1.6.0p10","v1.6.0p11","v1.6.0p12","v1.6.0p13","v1.6.0p14","v1.6.0p15","v1.6.0p16","v1.6.0p17","v1.6.0p18","v1.6.0p2","v1.6.0p3","v1.6.0p4","v1.6.0p5","v1.6.0p6","v1.6.0p7","v1.6.0p8","v1.6.0p9"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2020-28919.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"}]}