Werk #17094: Fix XSS on SAML login screen

Component Setup
Title Fix XSS on SAML login screen
Date Sep 5, 2024
Level Trivial Change
Class Security Fix
Compatibility Compatible - no manual interaction needed
Checkmk versions & editions
2.4.0b1
Not yet released
Checkmk Enterprise (CEE), Checkmk Cloud (CCE), Checkmk MSP (CME)
2.3.0p16 Checkmk Enterprise (CEE), Checkmk Cloud (CCE), Checkmk MSP (CME)
2.2.0p34 Checkmk Enterprise (CEE), Checkmk Cloud (CCE), Checkmk MSP (CME)

Prior to Werk, attackers could craft URLs that rendered clickable HTML links in the error box on the SAML login page. This could facilitate phishing attacks by tricking users into clicking malicious links.

Links in the error message are now escaped and no longer clickable.

This issue was identified during internal review.

Affected Versions:

  • 2.3.0
  • 2.2.0

Only users who have configured at least one SAML connection are affected.

Vulnerability Management:

We have rated the issue with a CVSS Score of 5.1 Medium (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N) and assigned CVE-2024-38860.

To the list of all Werks