Branch: refs/heads/2.0.0
Home:
https://github.com/tribe29/checkmk
Commit: 40a1563de60f452bccce24cf3b7b5c939dcb2b99
https://github.com/tribe29/checkmk/commit/40a1563de60f452bccce24cf3b7b5c939…
Author: Maximilian Wirtz <maximilian.wirtz(a)tribe29.com>
Date: 2022-01-31 (Mon, 31 Jan 2022)
Changed paths:
A .werks/13199
M cmk/gui/htmllib.py
M tests/unit/cmk/gui/test_htmllib_html_cls.py
Log Message:
-----------
13199 SEC Persistant XSS in Custom User Attributes
This Werk fixes a Persistant Cross-Site-Scripting (XSS) vulnerability. (CWE-79)
While creating or editing a <i>user attribute</i> the <i>Help
Text</i> is
subject to HTML injection. Which can be triggerd editing a user.
To mitigate this vulnerability ensure that only trustwothy users have the
<i>User management</i> and <i>Manage custom attributes</i>
rights.
Checkmk 1.6 is not subject to this vulnerability, but all 2.0 versions
including 2.0.0p19.
If you have custom HTML code in the <i>Help Text</i> this will no longer be
rendered as HTML, but will be escaped.
To detect if this vulnerability is/was used you can check
<tt>etc/check_mk/multisite.d/wato/custom_attrs.mk</tt> for HTML code. Please
be
aware that an attacker could delete the code after a attack.
CVE is requested and will be added later.
CVSS: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:H/A:N (5.2 medium)
We thank Manuel Sommer for finding this vulnerability and bringing this to our
attention.
Change-Id: Ia8e37d61a8a286a24ae8e73d166185a8c46cec9d
Commit: 03152e756198c4663d1f9880ba86c015712d9f18
https://github.com/tribe29/checkmk/commit/03152e756198c4663d1f9880ba86c0157…
Author: Maximilian Wirtz <maximilian.wirtz(a)tribe29.com>
Date: 2022-01-31 (Mon, 31 Jan 2022)
Changed paths:
A .werks/13716
M cmk/gui/valuespec.py
Log Message:
-----------
13716 SEC Persistant XSS in Notification configuration
This Werk fixes a Persistant Cross-Site-Scripting (XSS) vulnerability. (CWE-79)
The <i>Alias</i> of a site was not properly escaped when shown as condition
for notifications.
To mitigate this vulnerability ensure that only trustwothy users have the
<i>Notification configuration</i> and <i>Site management</i>
rights. These are
<i>admin</i> rights by default.
Checkmk 1.6 and Checkmk 2.0 were subject to this vulnerability.
To detect if this vulnerability is/was used you can check
<tt>etc/check_mk/multisite.d/sites.mk</tt> and
<tt>etc/check_mk/conf.d/wato/notifications.mk</tt> for HTML code. Please be
aware that an attacker could delete the code after a attack.
CVE is requested and will be added later.
CVSS: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:H/A:N (5.2 medium)
We thank Manuel Sommer for finding this vulnerability and bringing this to our
attention.
Change-Id: Iba5414babde5b8f7f6b42149ba3bcecb423d42dd
Commit: 2a81ef35050e66bfea4ed2c9084b6e4bb360e868
https://github.com/tribe29/checkmk/commit/2a81ef35050e66bfea4ed2c9084b6e4bb…
Author: Maximilian Wirtz <maximilian.wirtz(a)tribe29.com>
Date: 2022-01-31 (Mon, 31 Jan 2022)
Changed paths:
A .werks/13717
M cmk/gui/wato/pages/rulesets.py
Log Message:
-----------
13717 SEC Persistant XSS in Predefined Conditions
This Werk fixes a Persistant Cross-Site-Scripting (XSS) vulnerability. (CWE-79)
The title of a <i>Predefined condition</i> is not properly escaped when shown
as condition.
No mitigation is available.
Checkmk 1.6 and Checkmk 2.0 were subject to this vulnerability.
To detect if this vulnerability is/was used you can check
<tt>etc/check_mk/conf.d/wato/predefined_conditions.mk</tt> for HTML code.
Please be aware that an attacker could delete the code after a attack.
CVE is requested and will be added later.
CVSS: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:H/A:N (6.3 medium)
We thank Manuel Sommer for finding this vulnerability and bringing this to our
attention.
Change-Id: Id48483af0639af06ea901e9916877b752da80b70
Compare:
https://github.com/tribe29/checkmk/compare/357c808d6e54...2a81ef35050e