Checkmk NagVis Reflected Cross-Site Scripting Vulnerability

A reflected cross-site scripting vulnerability has been identified in the NagVis component of Checkmk, specifically in Checkmk version 2.3.0p2 and NagVis version 1.9.40. This vulnerability allows an attacker to inject and execute arbitrary JavaScript in the context of the user's browser. The issue arises when the 'members' body parameter is processed by 'std_table.php' without proper validation, enabling the injection of malicious scripts that execute upon delivery.

Impact

Exploitation of this vulnerability allows for reflected cross-site scripting, where injected scripts are executed in the context of the user's browser.

Reproduction

To reproduce this vulnerability, send a POST request to 'userfiles/gadgets/std_table.php' with a 'members' parameter that includes a crafted JSON object. The 'summary_state' property should contain a script tag with JavaScript code, such as 'eval(window.name)'. This can be automated with a form on an attacker-controlled website that submits the malicious payload when the page is loaded.

Remediation

Users can upgrade to Checkmk 2.3.0p10 or NagVis 1.9.42, both released on July 15, 2024, to address this vulnerability.