This Werk fixes a Persistant Cross-Site-Scripting (XSS) vulnerability. (CWE-79)
While creating or editing a user attribute the Help Text is
subject to HTML injection. Which can be triggerd editing a user.
To mitigate this vulnerability ensure that only trustwothy users have the
User management and Manage custom attributes rights.
Checkmk 1.6 is not subject to this vulnerability, but all 2.0 versions
If you have custom HTML code in the Help Text this will no longer be
rendered as HTML, but will be escaped.
To detect if this vulnerability is/was used you can check
etc/check_mk/multisite.d/wato/custom_attrs.mk for HTML code. Please be
aware that an attacker could delete the code after a attack.
CVE is CVE-2022-24564.
CVSS: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:H/A:N (5.2 medium)
We thank Manuel Sommer for finding this vulnerability and bringing this to our
To the list of all Werks