Werk #13717: Persistant XSS in Predefined Conditions
|Title||Persistant XSS in Predefined Conditions|
|Date||Jan 31, 2022|
|Checkmk Editon||Checkmk Raw (CRE)|
|Checkmk Version||2.0.0p20 1.6.0p28|
|Compatibility||Compatible - no manual interaction needed|
This Werk fixes a Persistant Cross-Site-Scripting (XSS) vulnerability. (CWE-79)
The title of a Predefined condition is not properly escaped when shown as condition.
No mitigation is available.
Checkmk 1.6 and Checkmk 2.0 were subject to this vulnerability.
To detect if this vulnerability is/was used you can check etc/check_mk/conf.d/wato/predefined_conditions.mk for HTML code. Please be aware that an attacker could delete the code after a attack.
CVE is CVE-2022-24566.
CVSS: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:H/A:N (6.3 medium)
We thank Manuel Sommer for finding this vulnerability and bringing this to our attention.