[checkmk-commits] [tribe29/checkmk] 6f14b3: 14924 SEC Fix CSRF in add-visual endpoint

Branch: refs/heads/2.0.0 Home: https://github.com/tribe29/checkmk Commit: 6f14b34db40105e76752c8583c1128dc9d213d94 https://github.com/tribe29/checkmk/commit/6f14b34db40105e76752c8583c1128dc9… Author: Maximilian Wirtz &lt;maximilian.wirtz(a)tribe29.com&gt; Date: 2022-12-14 (Wed, 14 Dec 2022) Changed paths: A .werks/14924 M cmk/gui/visuals.py Log Message: ----------- 14924 SEC Fix CSRF in add-visual endpoint Previously to this Werk an attacker could utilize a cross site request forgery vulnerability in Checkmk to add elements to visuals (e.g. dashboards, reports, etc.). <b>Mitigations:</b> If you are unable to update in a timely manner you could remove the permission <tt>Customize dashboards and use them</tt> and <tt>Customize reports and use them</tt> from the used roles. So the users and admins cannot edit dashboards and reports anymore. Adding a <tt>Custom url</tt> with a malicious URL is blocked by the Content-Security-Policy. All versions of Checkmk including (1.6) are subject to this vulnerability. This vulnerability was found through a self commissioned Penetration test. We have rated the issue with a CVSS Score of 4.6 (Medium) with the following CVSS vector: <tt>CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:L</tt> A CVE has been requested. CMK-11705 Change-Id: If71e0347339eb5bcb590b749476aab7939e0710e