Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2022-48320: Fix CSRF in add-visual endpoint

Cross-site Request Forgery (CSRF) in Tribe29’s Checkmk <= 2.1.0p17, Checkmk <= 2.0.0p31, and all versions of Checkmk 1.6.0 (EOL) allow an attacker to add new visual elements to multiple pages.

CVE
#csrf#vulnerability

Component

Setup

Title

Fix CSRF in add-visual endpoint

Date

Dec 1, 2022

Checkmk Edition

Checkmk Raw (CRE)

Checkmk Version

2.2.0b1 2.1.0p18 2.0.0p32

Level

Trivial Change

Class

Security Fix

Compatibility

Compatible - no manual interaction needed

Previously to this Werk an attacker could utilize a cross site request forgery vulnerability in Checkmk to add elements to visuals (e.g. dashboards, reports, etc.).

Mitigations: If you are unable to update in a timely manner you could remove the permission Customize dashboards and use them and Customize reports and use them from the used roles. So the users and admins cannot edit dashboards and reports anymore. Adding a Custom url with a malicious URL is blocked by the Content-Security-Policy.

All versions of Checkmk including (1.6) are subject to this vulnerability.

This vulnerability was found through a self commissioned Penetration test.

We have rated the issue with a CVSS Score of 5.4 (Medium) with the following CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L A CVE has been requested.

To the list of all Werks

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda