Werk #15069: Fix Email HTML Injection

Component Notifications
Title Fix Email HTML Injection
Date Mar 8, 2023
Level Trivial Change
Class Security Fix
Compatibility Incompatible - Manual interaction might be required
Checkmk versions & editions
2.3.0b1
Not yet released
Checkmk Raw (CRE), Checkmk Enterprise (CEE), Checkmk Cloud (CCE), Checkmk MSP (CME)
2.3.0b1 Checkmk Raw (CRE), Checkmk Enterprise (CEE), Checkmk Cloud (CCE), Checkmk MSP (CME)
2.2.0b1 Checkmk Raw (CRE), Checkmk Enterprise (CEE), Checkmk Cloud (CCE), Checkmk MSP (CME)
2.1.0p25 Checkmk Raw (CRE), Checkmk Enterprise (CEE), Checkmk MSP (CME)
2.0.0p35 Checkmk Raw (CRE), Checkmk Enterprise (CEE), Checkmk MSP (CME)

Previously an authenticated attacker with permissions to configure HTML notifications was able to inject HTML into E-Mails via Insert HTML section between body and table.

We found this vulnerability internally and have no indication of any exploitation.

Affected Versions: * 2.1.0 * 2.0.0 * 1.6.0 (probably older versions as well)

Indicators of Compromise: To detect previous exploitation of this vulnerability one can check etc/check_mk/conf.d/wato/notifications.mk. Search for insert_html_section and malicious HTML.

Vulnerability Management: We calculated a CVSS3.1 score of 4.1 (Medium) CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:N/A:N and assigned CVE-2023-22288.

Changes: With this Werk the Insert HTML section between body and table will be sanitized in the usual manner. So certain formatting tags like h1, b, etc. are still possible to use.

To be precise:

h1, h2, b, tt, i, u, br, nobr, pre, sup, p, li, ul, ol without any additional attributes are allowed.

Links are currently not possible, this will be fixed with Werk #15686.

To the list of all Werks