Werk #13717: Persistant XSS in Predefined Conditions

Component Setup
Title Persistant XSS in Predefined Conditions
Date Jan 31, 2022
Checkmk Edition Checkmk Raw (CRE)
Checkmk Version 1.6.0p28 2.0.0p20
Level Prominent Change
Class Security Fix
Compatibility Compatible - no manual interaction needed

This Werk fixes a Persistant Cross-Site-Scripting (XSS) vulnerability. (CWE-79)

The title of a Predefined condition is not properly escaped when shown as condition.

No mitigation is available.

Checkmk 1.6 and Checkmk 2.0 were subject to this vulnerability.

To detect if this vulnerability is/was used you can check etc/check_mk/conf.d/wato/predefined_conditions.mk for HTML code. Please be aware that an attacker could delete the code after a attack.

CVE is CVE-2022-24566.

CVSS: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:H/A:N (6.3 medium)

We thank Manuel Sommer for finding this vulnerability and bringing this to our attention.

To the list of all Werks