Werk #15069: Fix Email HTML Injection
| Component | Notifications |
| Title | Fix Email HTML Injection |
| Date | Mar 8, 2023 |
| Checkmk Edition | Checkmk Raw (CRE) |
| Checkmk Version | 2.3.0b1 2.2.0b1 2.1.0p25 2.0.0p35 |
| Level | Trivial Change |
| Class | Security Fix |
| Compatibility | Incompatible - Manual interaction might be required |
Previously an authenticated attacker with permissions to configure HTML notifications was able to inject HTML into E-Mails via Insert HTML section between body and table.
We found this vulnerability internally and have no indication of any exploitation.
Affected Versions:
- 2.1.0
- 2.0.0
- 1.6.0 (probably older versions as well)
Indicators of Compromise: To detect previous exploitation of this vulnerability one can check . Search for and malicious HTML.
Vulnerability Management: We calculated a CVSS3.1 score of 4.1 (Medium) CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:N/A:N and assigned CVE-2023-22288.
Changes: With this Werk the Insert HTML section between body and table will be sanitized in the usual manner. So certain formatting tags like , , etc. are still possible to use.
To be precise:
, , , , , , , , , , , , , without any additional attributes are allowed.
Links are currently not possible, this will be fixed with Werk #15686.