Werk #15069: Fix Email HTML Injection

Component Notifications
Title Fix Email HTML Injection
Date Mar 8, 2023
Checkmk Edition Checkmk Raw (CRE)
Checkmk Version 2.0.0p35 2.1.0p25 2.2.0b1 2.3.0b1
Level Trivial Change
Class Security Fix
Compatibility Incompatible - Manual interaction might be required

Previously an authenticated attacker with permissions to configure HTML notifications was able to inject HTML into E-Mails via Insert HTML section between body and table.

We found this vulnerability internally and have no indication of any exploitation.

Affected Versions: * 2.1.0 * 2.0.0 * 1.6.0 (probably older versions as well)

Indicators of Compromise: To detect previous exploitation of this vulnerability one can check etc/check_mk/conf.d/wato/notifications.mk. Search for insert_html_section and malicious HTML.

Vulnerability Management: We calculated a CVSS3.1 score of 4.1 (Medium) CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:N/A:N and assigned CVE-2023-22288.

Changes: With this Werk the Insert HTML section between body and table will be sanitized in the usual manner. So certain formatting tags like h1, b, etc. are still possible to use.

To be precise:

h1, h2, b, tt, i, u, br, nobr, pre, sup, p, li, ul, ol without any additional attributes are allowed.

Links are currently not possible, this will be fixed with Werk #15686.

To the list of all Werks