Werk #13199: Persistant XSS in Custom User Attributes

Komponente Setup
Titel Persistant XSS in Custom User Attributes
Datum 27.01.2022
Level Bedeutende Änderung
Klasse Sicherheitsfix
Kompatibilität Inkompatibel - Manuelle Interaktion könnte erforderlich sein
Checkmk versions & editions
2.0.0p20 Checkmk Raw (CRE), Checkmk Enterprise (CEE), Checkmk MSP (CME)

This Werk fixes a Persistant Cross-Site-Scripting (XSS) vulnerability. (CWE-79)

While creating or editing a user attribute the Help Text is subject to HTML injection. Which can be triggerd editing a user.

To mitigate this vulnerability ensure that only trustwothy users have the User management and Manage custom attributes rights.

Checkmk 1.6 is not subject to this vulnerability, but all 2.0 versions including 2.0.0p19.

If you have custom HTML code in the Help Text this will no longer be rendered as HTML, but will be escaped.

To detect if this vulnerability is/was used you can check etc/check_mk/multisite.d/wato/custom_attrs.mk for HTML code. Please be aware that an attacker could delete the code after a attack.

CVE is CVE-2022-24564.

CVSS: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:H/A:N (5.2 medium)

We thank Manuel Sommer for finding this vulnerability and bringing this to our attention.

Zur Liste aller Werks