Werk #13199: Persistant XSS in Custom User Attributes

Component Setup
Title Persistant XSS in Custom User Attributes
Date Jan 27, 2022
Checkmk Edition Checkmk Raw (CRE)
Checkmk Version 2.0.0p20
Level Prominent Change
Class Security Fix
Compatibility Incompatible - Manual interaction might be required

This Werk fixes a Persistant Cross-Site-Scripting (XSS) vulnerability. (CWE-79)

While creating or editing a user attribute the Help Text is subject to HTML injection. Which can be triggerd editing a user.

To mitigate this vulnerability ensure that only trustwothy users have the User management and Manage custom attributes rights.

Checkmk 1.6 is not subject to this vulnerability, but all 2.0 versions including 2.0.0p19.

If you have custom HTML code in the Help Text this will no longer be rendered as HTML, but will be escaped.

To detect if this vulnerability is/was used you can check etc/check_mk/multisite.d/wato/custom_attrs.mk for HTML code. Please be aware that an attacker could delete the code after a attack.

CVE is CVE-2022-24564.

CVSS: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:H/A:N (5.2 medium)

We thank Manuel Sommer for finding this vulnerability and bringing this to our attention.

To the list of all Werks