Werk #13717: Persistant XSS in Predefined Conditions
| Component | Setup | ||||
| Title | Persistant XSS in Predefined Conditions | ||||
| Date | Jan 31, 2022 | ||||
| Level | Prominent Change | ||||
| Class | Security Fix | ||||
| Compatibility | Compatible - no manual interaction needed | ||||
| Checkmk versions & editions |
|
This Werk fixes a Persistant Cross-Site-Scripting (XSS) vulnerability. (CWE-79)
The title of a Predefined condition is not properly escaped when shown as condition.
No mitigation is available.
Checkmk 1.6 and Checkmk 2.0 were subject to this vulnerability.
To detect if this vulnerability is/was used you can check etc/check_mk/conf.d/wato/predefined_conditions.mk for HTML code. Please be aware that an attacker could delete the code after a attack.
CVE is CVE-2022-24566.
CVSS: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:H/A:N (6.3 medium)
We thank Manuel Sommer for finding this vulnerability and bringing this to our attention.