Werk #15691: Fix XSS in business intelligence

Komponente Setup
Titel Fix XSS in business intelligence
Datum 25.07.2023
Level Kleine Änderung
Klasse Sicherheitsfix
Kompatibilität Kompatibel - benötigt kein manuelles Eingreifen
Checkmk versions & editions
2.3.0b1 Checkmk Raw (CRE), Checkmk Enterprise (CEE), Checkmk Cloud (CCE), Checkmk MSP (CME)
2.2.0p8 Checkmk Raw (CRE), Checkmk Enterprise (CEE), Checkmk Cloud (CCE), Checkmk MSP (CME)
2.1.0p32 Checkmk Raw (CRE), Checkmk Enterprise (CEE), Checkmk MSP (CME)
2.0.0p38 Checkmk Raw (CRE), Checkmk Enterprise (CEE), Checkmk MSP (CME)

Prior to this Werk it was possible to inject HTML or Javascript (Reflected XSS). A legitimate user tricked to click on a prepared link would then run arbitrary Javascript code in a valid session.

This vulnerability is only triggerable if another Business Intelligence BI pack (next to the default) was created.

We found this vulnerability internally.

Affected Versions: * 2.2.0 * 2.1.0 * 2.0.0 * 1.6.0 (probably older versions as well)

Indicators of Compromise: To check for exploitation one can check the site apache access log var/log/apache/access_log for entries like /$SITENAME/check_mk/wato.py?mode=bi_aggregations&bulk_moveto=. The order of the URL paramters can be changed by an attacker. Potential injected code would be in the parameter bulk_moveto.

Vulnerability Management: We have rated the issue with a CVSS Score of 5.4 (Medium) with the following CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N. We assigned CVE-2023-23548 to this vulnerability.

Changes: This Werk introduces escaping for the vulnerable parameter.

Zur Liste aller Werks