CVE-2021-36563

Name of the Vulnerable Software and Affected Versions CheckMK management web console versions 1.5.0 through 2.0.0

Description The CheckMK management web console does not sanitise user input in various parameters of the WATO module, allowing an attacker to open a backdoor on the device with HTML content and interpreted by the browser, such as JavaScript or other client-side scripts. The XSS payload will be triggered when the user accesses some specific sections of the application. An attacker with the monitor role can use stored XSS to steal the secretAutomation and create another administrator user with high privileges. Persistent XSS also allows an attacker to modify the displayed content or change the victim's information. Successful exploitation requires access to the web management interface, either with valid credentials or with a hijacked session.

Recommendations For CheckMK management web console versions 1.5.0 through 2.0.0, consider disabling the WATO module until a patch is available to prevent exploitation. Restrict access to the web management interface to minimize the risk of exploitation. Avoid using the secretAutomation parameter in the affected API endpoints until the issue is resolved. As a temporary workaround, monitor user activity and session management to detect potential hijacked sessions. At the moment, there is no information about a newer version that contains a fix for this vulnerability.