Werk #13717: Persistant XSS in Predefined Conditions
Component | Setup |
Title | Persistant XSS in Predefined Conditions |
Date | Jan 31, 2022 |
Checkmk Edition | Checkmk Raw (CRE) |
Checkmk Version | 1.6.0p28 2.0.0p20 |
Level | Prominent Change |
Class | Security Fix |
Compatibility | Compatible - no manual interaction needed |
This Werk fixes a Persistant Cross-Site-Scripting (XSS) vulnerability. (CWE-79)
The title of a Predefined condition is not properly escaped when shown as condition.
No mitigation is available.
Checkmk 1.6 and Checkmk 2.0 were subject to this vulnerability.
To detect if this vulnerability is/was used you can check etc/check_mk/conf.d/wato/predefined_conditions.mk for HTML code. Please be aware that an attacker could delete the code after a attack.
CVE is CVE-2022-24566.
CVSS: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:H/A:N (6.3 medium)
We thank Manuel Sommer for finding this vulnerability and bringing this to our attention.