Headline
CVE-2022-24564: Persistant XSS in Custom User Attributes
Checkmk <=2.0.0p19 contains a Cross Site Scripting (XSS) vulnerability. While creating or editing a user attribute, the Help Text is subject to HTML injection, which can be triggered for editing a user.
Component
Setup
Title
Persistant XSS in Custom User Attributes
Date
Jan 27, 2022
Checkmk Editon
Checkmk Raw (CRE)
Checkmk Version
2.0.0p20
Level
Prominent Change
Class
Security Fix
Compatibility
Incompatible - Manual interaction might be required
This Werk fixes a Persistant Cross-Site-Scripting (XSS) vulnerability. (CWE-79)
While creating or editing a user attribute the Help Text is subject to HTML injection. Which can be triggerd editing a user.
To mitigate this vulnerability ensure that only trustwothy users have the User management and Manage custom attributes rights.
Checkmk 1.6 is not subject to this vulnerability, but all 2.0 versions including 2.0.0p19.
If you have custom HTML code in the Help Text this will no longer be rendered as HTML, but will be escaped.
To detect if this vulnerability is/was used you can check etc/check_mk/multisite.d/wato/custom_attrs.mk for HTML code. Please be aware that an attacker could delete the code after a attack.
CVE is requested and will be added later.
CVSS: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:H/A:N (5.2 medium)
We thank Manuel Sommer for finding this vulnerability and bringing this to our attention.
To the list of all Werks