Werk #15691: Fix XSS in business intelligence

Component Setup
Title Fix XSS in business intelligence
Date Jul 25, 2023
Checkmk Edition Checkmk Raw (CRE)
Checkmk Version 2.0.0p38 2.1.0p32 2.2.0p8 2.3.0b1
Level Trivial Change
Class Security Fix
Compatibility Compatible - no manual interaction needed

Prior to this Werk it was possible to inject HTML or Javascript (Reflected XSS). A legitimate user tricked to click on a prepared link would then run arbitrary Javascript code in a valid session.

This vulnerability is only triggerable if another Business Intelligence BI pack (next to the default) was created.

We found this vulnerability internally.

Affected Versions: * 2.2.0 * 2.1.0 * 2.0.0 * 1.6.0 (probably older versions as well)

Indicators of Compromise: To check for exploitation one can check the site apache access log var/log/apache/access_log for entries like /$SITENAME/check_mk/wato.py?mode=bi_aggregations&bulk_moveto=. The order of the URL paramters can be changed by an attacker. Potential injected code would be in the parameter bulk_moveto.

Vulnerability Management: We have rated the issue with a CVSS Score of 5.4 (Medium) with the following CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N. We assigned CVE-2023-23548 to this vulnerability.

Changes: This Werk introduces escaping for the vulnerable parameter.

To the list of all Werks