Headline
CVE-2022-24566: Persistant XSS in Predefined Conditions
In Checkmk <=2.0.0p19 fixed in 2.0.0p20 and Checkmk <=1.6.0p27 fixed in 1.6.0p28, the title of a Predefined condition is not properly escaped when shown as condition, which can result in Cross Site Scripting (XSS).
Component
Setup
Title
Persistant XSS in Predefined Conditions
Date
Jan 31, 2022
Checkmk Editon
Checkmk Raw (CRE)
Checkmk Version
2.0.0p20 1.6.0p28
Level
Prominent Change
Class
Security Fix
Compatibility
Compatible - no manual interaction needed
This Werk fixes a Persistant Cross-Site-Scripting (XSS) vulnerability. (CWE-79)
The title of a Predefined condition is not properly escaped when shown as condition.
No mitigation is available.
Checkmk 1.6 and Checkmk 2.0 were subject to this vulnerability.
To detect if this vulnerability is/was used you can check etc/check_mk/conf.d/wato/predefined_conditions.mk for HTML code. Please be aware that an attacker could delete the code after a attack.
CVE is requested and will be added later.
CVSS: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:H/A:N (6.3 medium)
We thank Manuel Sommer for finding this vulnerability and bringing this to our attention.
To the list of all Werks