Werk #17232: Synthetic Monitoring: Fix XSS vector in HTML logs displayed in UI
| Component | User interface | ||||
| Title | Synthetic Monitoring: Fix XSS vector in HTML logs displayed in UI | ||||
| Date | Aug 26, 2024 | ||||
| Level | Trivial Change | ||||
| Class | Security Fix | ||||
| Compatibility | Compatible - no manual interaction needed | ||||
| Checkmk versions & editions |
|
The user interface offers the option to display the HTML logs of monitored synthetic tests. These logs are generated on the host where the test is executed and are therefore prone to XSS attacks. A malicious actor with access to the host could attempt to inject malicious JavaScript code into these logs before they are transferred to the monitoring server.
As of this werk, the logs are rendered sandboxed, which prevents code injected into the logs from accessing the surrounding Checkmk site. However, note that an attacker could still attempt to hijack the log to eg. display a fake login page. Therefore, we additionally display a corresponding security note when rendering the logs.
An unfortunate side effect of the sandboxing described above is that the "Expand/Collapse all" buttons in the logs are deactivated. Users can still download the logs and inspect them outside the Checkmk user interface, as before.
This issue was found during internal review.
Affected Versions:
- 2.3.0
Mitigations:
Avoid displaying the HTML logs in the user interface.
Vulnerability Management:
We have rated the issue with a CVSS Score of 2.3 Low (CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N) and assigned CVE-2024-38858.