Werk #15069: Fix Email HTML Injection
| Component | Notifications |
| Title | Fix Email HTML Injection |
| Date | Mar 8, 2023 |
| Checkmk Edition | Checkmk Raw (CRE) |
| Checkmk Version | 2.0.0p35 2.1.0p25 2.2.0b1 2.3.0b1 |
| Level | Trivial Change |
| Class | Security Fix |
| Compatibility | Incompatible - Manual interaction might be required |
Previously an authenticated attacker with permissions to configure HTML notifications was able to inject HTML into E-Mails via Insert HTML section between body and table.
We found this vulnerability internally and have no indication of any exploitation.
Affected Versions: * 2.1.0 * 2.0.0 * 1.6.0 (probably older versions as well)
Indicators of Compromise: To detect previous exploitation of this vulnerability one can check etc/check_mk/conf.d/wato/notifications.mk. Search for insert_html_section and malicious HTML.
Vulnerability Management: We calculated a CVSS3.1 score of 4.1 (Medium) CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:N/A:N and assigned CVE-2023-22288.
Changes: With this Werk the Insert HTML section between body and table will be sanitized in the usual manner. So certain formatting tags like h1, b, etc. are still possible to use.
To be precise:
h1, h2, b, tt, i, u, br, nobr, pre, sup, p, li, ul, ol without any additional attributes are allowed.
Links are currently not possible, this will be fixed with Werk #15686.
