Werk #17024: Fix XSS in Crash Report Page

Component Setup
Title Fix XSS in Crash Report Page
Date Jun 6, 2024
Level Trivial Change
Class Security Fix
Compatibility Compatible - no manual interaction needed
Checkmk versions & editions
2.4.0b1
Not yet released
Checkmk Raw (CRE), Checkmk Enterprise (CEE), Checkmk Cloud (CCE), Checkmk MSP (CME)
2.3.0p7 Checkmk Raw (CRE), Checkmk Enterprise (CEE), Checkmk Cloud (CCE), Checkmk MSP (CME)
2.2.0p28 Checkmk Raw (CRE), Checkmk Enterprise (CEE), Checkmk Cloud (CCE), Checkmk MSP (CME)
2.1.0p45 Checkmk Raw (CRE), Checkmk Enterprise (CEE), Checkmk MSP (CME)

Prior to this Werk, it was possible to inject HTML elements into Crash report URL in the Global settings, leading to an XSS vulnerability in the Crash reports page.

This vulnerability was identified during a commissioned penetration test conducted by PS Positive Security GmbH.

Affected Versions:

  • 2.3.0
  • 2.2.0
  • 2.1.0
  • 2.0.0 (EOL)

Indicators of Compromise:

Check the crash report HTTP URL in the Global settings for suspicious HTML elements.

Vulnerability Management:

We have rated the issue with a CVSS Score of 4.8 Medium with the following CVSS vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N. and assigned CVE-2024-28832.

To the list of all Werks