CVE-2021-40906
https://notcve.org/view.php?id=CVE-2021-40906
CheckMK Raw Edition software (versions 1.5.0 to 1.6.0) does not sanitise the input of a web service parameter that is in an unauthenticated zone. This Reflected XSS allows an attacker to open a backdoor on the device with HTML content and interpreted by the browser (such as JavaScript or other client-side scripts) or to steal the session cookies of a user who has previously authenticated via a man in the middle. Successful exploitation requires access to the web service resource without authentication. El software CheckMK Raw Edition (versiones 1.5.0 a 1.6.0) no sanea la entrada de un parámetro de servicio web que está en una zona no autenticada. Este ataque de tipo XSS reflejado permite a un atacante abrir una puerta trasera en el dispositivo con contenido HTML e interpretado por el navegador (como JavaScript u otros scripts del lado del cliente) o robar las cookies de sesión de un usuario que se haya autenticado previamente por medio de un ataque de tipo man in the middle. • https://github.com/Edgarloyola/CVE-2021-40906 http://checkmk.com • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2021-40905
https://notcve.org/view.php?id=CVE-2021-40905
The web management console of CheckMK Enterprise Edition (versions 1.5.0 to 2.0.0p9) does not properly sanitise the uploading of ".mkp" files, which are Extension Packages, making remote code execution possible. Successful exploitation requires access to the web management interface, either with valid credentials or with a hijacked session of a user with administrator role. NOTE: the vendor states that this is the intended behavior: admins are supposed to be able to execute code in this manner ** EN DISTPUTA ** La consola de administración web de CheckMK Enterprise Edition (versiones 1.5.0 a 2.0.0p9) no sanea correctamente la carga de archivos ".mkp", que son Paquetes de Extensión, haciendo posible una ejecución de código remota. Una explotación con éxito requiere el acceso a la interfaz de administración web, ya sea con credenciales válidas o con una sesión secuestrada de un usuario con rol de administrador. NOTA: el proveedor afirma que este es el comportamiento previsto: se supone que los administradores pueden ejecutar código de esta manera • https://github.com/Edgarloyola/CVE-2021-40905 http://checkmk.com • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVE-2021-40904
https://notcve.org/view.php?id=CVE-2021-40904
The web management console of CheckMK Raw Edition (versions 1.5.0 to 1.6.0) allows a misconfiguration of the web-app Dokuwiki (installed by default), which allows embedded php code. As a result, remote code execution is achieved. Successful exploitation requires access to the web management interface, either with valid credentials or with a hijacked session by a user with the role of administrator. La consola de administración web de CheckMK Raw Edition (versiones 1.5.0 a 1.6.0) permite una configuración errónea de la web-app Dokuwiki (instalada por defecto), que permite una inserción de código php. Como resultado, es conseguida una ejecución de código remota. • https://github.com/Edgarloyola/CVE-2021-40904 http://checkmk.com • CWE-276: Incorrect Default Permissions •
CVE-2021-36563
https://notcve.org/view.php?id=CVE-2021-36563
The CheckMK management web console (versions 1.5.0 to 2.0.0) does not sanitise user input in various parameters of the WATO module. This allows an attacker to open a backdoor on the device with HTML content and interpreted by the browser (such as JavaScript or other client-side scripts), the XSS payload will be triggered when the user accesses some specific sections of the application. In the same sense a very dangerous potential way would be when an attacker who has the monitor role (not administrator) manages to get a stored XSS to steal the secretAutomation (for the use of the API in administrator mode) and thus be able to create another administrator user who has high privileges on the CheckMK monitoring web console. Another way is that persistent XSS allows an attacker to modify the displayed content or change the victim's information. Successful exploitation requires access to the web management interface, either with valid credentials or with a hijacked session. • https://github.com/Edgarloyola/CVE-2021-36563 https://checkmk.com/de/werk/12762 https://checkmk.com/de/werk/13148 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2020-24908
https://notcve.org/view.php?id=CVE-2020-24908
Checkmk before 1.6.0p17 allows local users to obtain SYSTEM privileges via a Trojan horse shell script in the %PROGRAMDATA%\checkmk\agent\local directory. Checkmk versiones anteriores a 1.6.0p17, permite a usuarios locales alcanzar privilegios SYSTEM por medio de un script de shell de tipo caballo de Troya en el directorio %PROGRAMDATA%\checkmk\agent\local • https://compass-security.com/fileadmin/Research/Advisories/2020-05_CSNC-2020-005_Checkmk_Local_Privilege_Escalation.txt •