Werk #15691: Fix XSS in business intelligence

Component Setup
Title Fix XSS in business intelligence
Date Jul 25, 2023
Level Trivial Change
Class Security Fix
Compatibility Compatible - no manual interaction needed
Checkmk versions & editions
2.3.0b1
Not yet released
Checkmk Raw (CRE), Checkmk Enterprise (CEE), Checkmk Cloud (CCE), Checkmk MSP (CME)
2.3.0b1 Checkmk Raw (CRE), Checkmk Enterprise (CEE), Checkmk Cloud (CCE), Checkmk MSP (CME)
2.2.0p8 Checkmk Raw (CRE), Checkmk Enterprise (CEE), Checkmk Cloud (CCE), Checkmk MSP (CME)
2.1.0p32 Checkmk Raw (CRE), Checkmk Enterprise (CEE), Checkmk MSP (CME)
2.0.0p38 Checkmk Raw (CRE), Checkmk Enterprise (CEE), Checkmk MSP (CME)

Prior to this Werk it was possible to inject HTML or Javascript (Reflected XSS). A legitimate user tricked to click on a prepared link would then run arbitrary Javascript code in a valid session.

This vulnerability is only triggerable if another Business Intelligence BI pack (next to the default) was created.

We found this vulnerability internally.

Affected Versions: * 2.2.0 * 2.1.0 * 2.0.0 * 1.6.0 (probably older versions as well)

Indicators of Compromise: To check for exploitation one can check the site apache access log var/log/apache/access_log for entries like /$SITENAME/check_mk/wato.py?mode=bi_aggregations&bulk_moveto=. The order of the URL paramters can be changed by an attacker. Potential injected code would be in the parameter bulk_moveto.

Vulnerability Management: We have rated the issue with a CVSS Score of 5.4 (Medium) with the following CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N. We assigned CVE-2023-23548 to this vulnerability.

Changes: This Werk introduces escaping for the vulnerable parameter.

To the list of all Werks