Headline
CVE-2022-24565: Persistant XSS in Notification configuration
Checkmk <=2.0.0p19 Fixed in 2.0.0p20 and Checkmk <=1.6.0p27 Fixed in 1.6.0p28 are affected by a Cross Site Scripting (XSS) vulnerability. The Alias of a site was not properly escaped when shown as condition for notifications.
Component
Setup
Title
Persistant XSS in Notification configuration
Date
Jan 27, 2022
Checkmk Editon
Checkmk Raw (CRE)
Checkmk Version
2.0.0p20 1.6.0p28
Level
Trivial Change
Class
Security Fix
Compatibility
Compatible - no manual interaction needed
This Werk fixes a Persistant Cross-Site-Scripting (XSS) vulnerability. (CWE-79)
The Alias of a site was not properly escaped when shown as condition for notifications.
To mitigate this vulnerability ensure that only trustwothy users have the Notification configuration and Site management rights. These are admin rights by default.
Checkmk 1.6 and Checkmk 2.0 were subject to this vulnerability.
To detect if this vulnerability is/was used you can check etc/check_mk/multisite.d/sites.mk and etc/check_mk/conf.d/wato/notifications.mk for HTML code. Please be aware that an attacker could delete the code after a attack.
CVE is requested and will be added later.
CVSS: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:H/A:N (5.2 medium)
We thank Manuel Sommer for finding this vulnerability and bringing this to our attention.
To the list of all Werks