Werk #13717: Persistant XSS in Predefined Conditions
| Komponente | Setup | ||||
| Titel | Persistant XSS in Predefined Conditions | ||||
| Datum | 31.01.2022 | ||||
| Level | Bedeutende Änderung | ||||
| Klasse | Sicherheitsfix | ||||
| Kompatibilität | Kompatibel - benötigt kein manuelles Eingreifen | ||||
| Checkmk versions & editions |
|
This Werk fixes a Persistant Cross-Site-Scripting (XSS) vulnerability. (CWE-79)
The title of a Predefined condition is not properly escaped when shown as condition.
No mitigation is available.
Checkmk 1.6 and Checkmk 2.0 were subject to this vulnerability.
To detect if this vulnerability is/was used you can check etc/check_mk/conf.d/wato/predefined_conditions.mk for HTML code. Please be aware that an attacker could delete the code after a attack.
CVE is CVE-2022-24566.
CVSS: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:H/A:N (6.3 medium)
We thank Manuel Sommer for finding this vulnerability and bringing this to our attention.