Headline
CVE-2023-22288: Fix Email HTML Injection
HTML Email Injection in Tribe29 Checkmk <=2.1.0p23; <=2.0.0p34, and all versions of Checkmk 1.6.0 allows an authenticated attacker to inject malicious HTML into Emails
Werk #15069: Fix Email HTML Injection
Component
Notifications
Title
Fix Email HTML Injection
Date
Mar 8, 2023
Checkmk Edition
Checkmk Raw (CRE)
Checkmk Version
2.3.0b1 2.2.0b1 2.0.0p35 2.1.0p25
Level
Trivial Change
Class
Security Fix
Compatibility
Compatible - no manual interaction needed
Previously an authenticated attacker with permissions to configure HTML notifications was able to inject HTML into E-Mails via Insert HTML section between body and table.
All versions up to 1.6. are subject to this vulnerability.
To detect previous exploitation of this vulnerability one can check etc/check_mk/conf.d/wato/notifications.mk. Search for insert_html_section and malicious HTML.
This vulnerability was found internally. We calculated a CVSS3.1 score of 4.1 (Medium) CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:N/A:N and assigned CVE-2023-22288.
To the list of all Werks