CVE-2021-40906: 
Linux Ubuntu vulnerability analysis and mitigation

CVE-2021-40906 affects CheckMK Raw Edition software versions 1.5.0 to 1.6.0. The vulnerability was discovered on September 1, 2021, and involves a Reflected Cross-Site Scripting (XSS) vulnerability in an unauthenticated zone of the web service (GitHub Advisory).

The vulnerability stems from improper input sanitization of a web service parameter in an unauthenticated zone. It is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation). The vulnerability has received a CVSS v3.1 Base Score of 6.1 (MEDIUM) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N (NVD).

The vulnerability allows attackers to inject arbitrary HTML content and client-side scripts (such as JavaScript) that can be interpreted by the browser. This can lead to the creation of backdoors on affected devices or the theft of session cookies from previously authenticated users through man-in-the-middle attacks (GitHub Advisory).

The vulnerability was patched in version 1.6.0p27, released on September 30, 2021. Users are advised to update to this version or later to mitigate the vulnerability (GitHub Advisory).

The vendor acknowledged the vulnerability report on September 8, 2021, indicating that XSS vulnerabilities had already been detected and would be patched in the next release (GitHub Advisory).