Werk #17025: Fix XSS in confirmation pop-up

Component Setup
Title Fix XSS in confirmation pop-up
Date Jun 10, 2024
Level Trivial Change
Class Security Fix
Compatibility Compatible - no manual interaction needed
Checkmk versions & editions
2.4.0b1
Not yet released
Checkmk Raw (CRE), Checkmk Enterprise (CEE), Checkmk Cloud (CCE), Checkmk MSP (CME)
2.3.0p7 Checkmk Raw (CRE), Checkmk Enterprise (CEE), Checkmk Cloud (CCE), Checkmk MSP (CME)
2.2.0p28 Checkmk Raw (CRE), Checkmk Enterprise (CEE), Checkmk Cloud (CCE), Checkmk MSP (CME)

Prior to this Werk, there was a potential for HTML elements from user inputs to be rendered in certain confirmation pop-ups, leading to an XSS vulnerability.

This vulnerability was identified during a commissioned penetration test conducted by PS Positive Security GmbH.

Affected Versions:

  • 2.3.0
  • 2.2.0

Indicators of Compromise:

Injected HTML elements in some specific user input fields with no proper escaping that are displayed in the confirmation pop-up.

Vulnerability Management:

We have rated the issue with a CVSS Score of 5.4 (Medium) with the following CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N, and assigned CVE-2024-28831.

To the list of all Werks