Werk #13199: Persistant XSS in Custom User Attributes
Component | Setup | ||
Title | Persistant XSS in Custom User Attributes | ||
Date | Jan 27, 2022 | ||
Level | Prominent Change | ||
Class | Security Fix | ||
Compatibility | Incompatible - Manual interaction might be required | ||
Checkmk versions & editions |
|
This Werk fixes a Persistant Cross-Site-Scripting (XSS) vulnerability. (CWE-79)
While creating or editing a user attribute the Help Text is subject to HTML injection. Which can be triggerd editing a user.
To mitigate this vulnerability ensure that only trustwothy users have the User management and Manage custom attributes rights.
Checkmk 1.6 is not subject to this vulnerability, but all 2.0 versions including 2.0.0p19.
If you have custom HTML code in the Help Text this will no longer be rendered as HTML, but will be escaped.
To detect if this vulnerability is/was used you can check etc/check_mk/multisite.d/wato/custom_attrs.mk for HTML code. Please be aware that an attacker could delete the code after a attack.
CVE is CVE-2022-24564.
CVSS: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:H/A:N (5.2 medium)
We thank Manuel Sommer for finding this vulnerability and bringing this to our attention.