There are 6 open security issues in bookworm.
2 important issues:
- CVE-2024-38866:
Improper neutralization of input in Nagvis before version 1.9.47 which can lead to livestatus injection
- CVE-2024-47090:
Improper neutralization of input in Nagvis before version 1.9.47 which can lead to XSS
4 issues left for the package maintainer to handle:
- CVE-2023-46287:
(needs triaging)
XSS exists in NagVis before 1.9.38 via the select function in share/server/core/functions/html.php.
- CVE-2024-13722:
(needs triaging)
The "NagVis" component within Checkmk is vulnerable to reflected cross-site scripting. An attacker can craft a malicious link that will execute arbitrary JavaScript in the context of the browser once clicked. The attack can be performed on both authenticated and unauthenticated users.
- CVE-2024-13723:
(needs triaging)
The "NagVis" component within Checkmk is vulnerable to remote code execution. An authenticated attacker with administrative level privileges is able to upload a malicious PHP file and modify specific settings to execute the contents of the file as PHP.
- CVE-2024-47093:
(needs triaging)
Improper neutralization of input in Nagvis before version 1.9.42 which can lead to XSS
You can find information about how to handle these issues in the security team's documentation.
![[bug history graph]](https://qa.debian.org/data/bts/graphs/n/nagvis.png){kind=link}