[checkmk-commits] [Checkmk/checkmk] a347f8: 15691 SEC Fix XSS in business intelligence

Branch: refs/heads/2.2.0 Home: https://github.com/Checkmk/checkmk Commit: a347f8468616180a492ccd93f126fa948834e59a https://github.com/Checkmk/checkmk/commit/a347f8468616180a492ccd93f126fa948… Author: Maximilian Wirtz &lt;maximilian.wirtz(a)checkmk.com&gt; Date: 2023-08-01 (Tue, 01 Aug 2023) Changed paths: A .werks/15691 M cmk/gui/plugins/wato/bi_config.py Log Message: ----------- 15691 SEC Fix XSS in business intelligence Prior to this Werk it was possible to inject HTML or Javascript (Reflected XSS). A legitimate user tricked to click on a prepared link would then run arbitrary Javascript code in a valid session. This vulnerability is only triggerable if another <i>Business Intelligence</i> <i>BI pack</i> (next to the default) was created. We found this vulnerability internally. <b>Affected Versions</b>: LI: 2.2.0 LI: 2.1.0 LI: 2.0.0 LI: 1.6.0 (probably older versions as well) <b>Indicators of Compromise</b>: To check for exploitation one can check the site apache access log <tt>var/log/apache/access_log</tt> for entries like <tt>/$SITENAME/check_mk/wato.py?mode=bi_aggregations&bulk_moveto=</tt>. The order of the URL paramters can be changed by an attacker. Potential injected code would be in the parameter <tt>bulk_moveto</tt>. <b>Vulnerability Management</b>: We have rated the issue with a CVSS Score of 5.4 (Medium) with the following CVSS vector: <tt>CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N</tt>. We assigned CVE-2023-23548 to this vulnerability. <b>Changes</b>: This Werk introduces escaping for the vulnerable parameter. CMK-14034 Change-Id: Ic48e5580a612bc34af8dcf31acacb2fbc1ee742c