Werk #15691: Fix XSS in business intelligence
| Component | Setup |
| Title | Fix XSS in business intelligence |
| Date | Jul 25, 2023 |
| Checkmk Edition | Checkmk Raw (CRE) |
| Checkmk Version | 2.0.0p38 2.1.0p32 2.2.0p8 2.3.0b1 |
| Level | Trivial Change |
| Class | Security Fix |
| Compatibility | Compatible - no manual interaction needed |
Prior to this Werk it was possible to inject HTML or Javascript (Reflected XSS). A legitimate user tricked to click on a prepared link would then run arbitrary Javascript code in a valid session.
This vulnerability is only triggerable if another Business Intelligence BI pack (next to the default) was created.
We found this vulnerability internally.
Affected Versions: * 2.2.0 * 2.1.0 * 2.0.0 * 1.6.0 (probably older versions as well)
Indicators of Compromise: To check for exploitation one can check the site apache access log var/log/apache/access_log for entries like /$SITENAME/check_mk/wato.py?mode=bi_aggregations&bulk_moveto=. The order of the URL paramters can be changed by an attacker. Potential injected code would be in the parameter bulk_moveto.
Vulnerability Management: We have rated the issue with a CVSS Score of 5.4 (Medium) with the following CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N. We assigned CVE-2023-23548 to this vulnerability.
Changes: This Werk introduces escaping for the vulnerable parameter.
