Werk #17010: XSS in SQL check parameters
Komponente | Setup | ||||||||
Titel | XSS in SQL check parameters | ||||||||
Datum | 17.06.2024 | ||||||||
Level | Kleine Änderung | ||||||||
Klasse | Sicherheitsfix | ||||||||
Kompatibilität | Kompatibel - benötigt kein manuelles Eingreifen | ||||||||
Checkmk versions & editions |
|
Prior to this Werk an attacher could add HTML to one parameter of the Check SQL database rule which was executed on the overview page.
We found this vulnerability internally.
Affected Versions: LI: 2.3.0 LI: 2.2.0 LI: 2.1.0 LI: 2.0.0 (probably older versions as well)
Indicators of Compromis:
The creation of such rules is logged in the audit log. You can therefore check the wato_audit.log
either on the terminal or in the UI for entries that contain malicious HTML.
Vulnerability Management:
We have rated the issue with a CVSS Score of 6.5 (Medium) with the following CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
We assigned CVE-2024-6052 to this vulnerability.
Changes: This Werk fixes the escaping.