This Werk fixes a Persistant Cross-Site-Scripting (XSS) vulnerability. (CWE-79)
The Alias of a site was not properly escaped when shown as condition for notifications.
To mitigate this vulnerability ensure that only trustwothy users have the
Notification configuration and Site management rights. These are
admin rights by default.
Checkmk 1.6 and Checkmk 2.0 were subject to this vulnerability.
To detect if this vulnerability is/was used you can check
etc/check_mk/multisite.d/sites.mk and etc/check_mk/conf.d/wato/notifications.mk for HTML code. Please be
aware that an attacker could delete the code after a attack.
CVE is CVE-2022-24565.
CVSS: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:H/A:N (5.2 medium)
We thank Manuel Sommer for finding this vulnerability and bringing this to our
To the list of all Werks