{"id":"CVE-2017-9781","details":"A cross site scripting (XSS) vulnerability exists in Check_MK versions 1.4.0x prior to 1.4.0p6, allowing an unauthenticated remote attacker to inject arbitrary HTML or JavaScript via the _username parameter when attempting authentication to webapi.py, which is returned unencoded with content type text/html.","modified":"2026-04-11T20:26:31.898974Z","published":"2017-06-21T18:29:00.387Z","references":[{"type":"WEB","url":"http://git.mathias-kettner.de/git/?p=check_mk.git%3Ba=blob%3Bf=.werks/4757%3Bhb=c248f0b6ff7b15ced9f07a3df8a80fad656ea5b1"},{"type":"EVIDENCE","url":"https://www.tenable.com/security/research/tra-2017-21"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/Checkmk/checkmk","events":[{"introduced":"0"},{"last_affected":"3144d0a38c9ff1b290ae6f4489c5df34a2daaf65"},{"last_affected":"dd45ab44d88b2a38ec9e37e6d19fec999312fabb"},{"last_affected":"1d698351348d44f9d6fc8fb544e27512f649ec5c"},{"last_affected":"eef06912863fa3c80ed61721e9df1f4c16fd45de"},{"last_affected":"a688860baea6809d303bc7dc4c833b48ecc1f4e0"},{"last_affected":"b2fba42409c49b7ac589ce84301ce659b9373349"}],"database_specific":{"cpe":["cpe:2.3:a:check_mk_project:check_mk:1.4.0:*:*:*:*:*:*:*","cpe:2.3:a:check_mk_project:check_mk:1.4.0:p1:*:*:*:*:*:*","cpe:2.3:a:check_mk_project:check_mk:1.4.0:p2:*:*:*:*:*:*","cpe:2.3:a:check_mk_project:check_mk:1.4.0:p3:*:*:*:*:*:*","cpe:2.3:a:check_mk_project:check_mk:1.4.0:p4:*:*:*:*:*:*","cpe:2.3:a:check_mk_project:check_mk:1.4.0:p5:*:*:*:*:*:*"],"extracted_events":[{"introduced":"0"},{"last_affected":"1.4.0"},{"last_affected":"1.4.0-p1"},{"last_affected":"1.4.0-p2"},{"last_affected":"1.4.0-p3"},{"last_affected":"1.4.0-p4"},{"last_affected":"1.4.0-p5"}],"source":"CPE_FIELD"}}],"versions":["v1.1.0","v1.1.10","v1.1.10b1","v1.1.10b2","v1.1.11i1","v1.1.11i2","v1.1.11i3","v1.1.13i2","v1.1.13i3","v1.1.2","v1.1.3","v1.1.4","v1.1.6","v1.1.6b2","v1.1.7i2","v1.1.7i3","v1.1.7i4","v1.1.7i5","v1.1.8","v1.1.8b1","v1.1.8b2","v1.1.8b3","v1.1.9i1","v1.1.9i3","v1.1.9i4","v1.1.9i5","v1.1.9i7","v1.1.9i8","v1.1.9i9","v1.2.0b2","v1.2.0b3","v1.2.0b4","v1.2.0p1","v1.2.1i5","v1.2.3i4","v1.2.3i5","v1.2.3i6","v1.2.5i1","v1.2.5i6","v1.4.0","v1.4.0b1","v1.4.0b2","v1.4.0b3","v1.4.0b4","v1.4.0b5","v1.4.0b6","v1.4.0b7","v1.4.0b8","v1.4.0i1","v1.4.0i2","v1.4.0i3","v1.4.0p1","v1.4.0p2","v1.4.0p3","v1.4.0p4","v1.4.0p5"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2017-9781.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"}]}