Download

Werk #13716: Persistant XSS in Notification configuration

Komponente Setup
Titel Persistant XSS in Notification configuration
Datum 27.01.2022
Checkmk Edition Checkmk Raw (CRE)
Checkmk-Version 1.6.0p28 2.0.0p20
Level Kleine Änderung
Klasse Sicherheitsfix
Kompatibilität Kompatibel - benötigt kein manuelles Eingreifen

This Werk fixes a Persistant Cross-Site-Scripting (XSS) vulnerability. (CWE-79)

The Alias of a site was not properly escaped when shown as condition for notifications.

To mitigate this vulnerability ensure that only trustwothy users have the Notification configuration and Site management rights. These are admin rights by default.

Checkmk 1.6 and Checkmk 2.0 were subject to this vulnerability.

To detect if this vulnerability is/was used you can check etc/check_mk/multisite.d/sites.mk and etc/check_mk/conf.d/wato/notifications.mk for HTML code. Please be aware that an attacker could delete the code after a attack.

CVE is CVE-2022-24565.

CVSS: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:H/A:N (5.2 medium)

We thank Manuel Sommer for finding this vulnerability and bringing this to our attention.

Zur Liste aller Werks

Überzeugen Sie sich selbst

Testen Sie Checkmk jetzt.

Raw Edition herunterladen Kostenloses Open-Source-Monitoring
Play with Checkmk Checkmk ohne Installation ausprobieren
checkmk_conference_10.png

Das Highlight des Jahres: Vom 11. - 13. Juni 2024 kommt die Checkmk Community in München zusammen.

Register now