Khalil Shreateh specializes in cybersecurity, particularly as a "white hat" hacker. He focuses on identifying and reporting security vulnerabilities in software and online platforms, with notable expertise in web application security. His most prominent work includes discovering a critical flaw in Facebook's system in 2013. Additionally, he develops free social media tools and browser extensions, contributing to digital security and user accessibility.

Get Rid of Ads!


Subscribe now for only $3 a month and enjoy an ad-free experience.

Contact us at khalil@khalil-shreateh.com

Latest Posts

Checkmk 2.3.0p2 / NagVis 1.9.40 Cross Site Scripting

Details
Written by: khalil shreateh
Category: Vulnerabilities
Hits: 117
KL-001-2025-001: Checkmk NagVis Reflected Cross-site Scripting

Title: Checkmk NagVis Reflected Cross-site KL-001-2025-001: Checkmk NagVis Reflected Cross-site Scripting

Title: Checkmk NagVis Reflected Cross-site Scripting
Advisory ID: KL-001-2025-001
Publication Date: 2025-02-04
Publication URL: https://korelogic.com/Resources/Advisories/KL-001-2025-001.txt


1. Vulnerability Details

???? Affected Vendor: Checkmk
???? Affected Product: Checkmk/NagVis
???? Affected Version: Checkmk 2.3.0p2, NagVis 1.9.40
???? Platform: GNU/Linux
???? CWE Classification: CWE-79: Improper Neutralization of Input
???????????????????????? During Web Page Generation
???????????????????????? ('Cross-site Scripting')
???? CVE ID: CVE-2024-13722


2. Vulnerability Description

???? The "NagVis" component within Checkmk is vulnerable to reflected
???? cross-site scripting. An attacker can craft a malicious link
???? that will execute arbitrary JavaScript in the context of the
???? browser once clicked. The attack can be performed on both
???? authenticated and unauthenticated users.

3. Technical Description

???? Checkmk version 2.3.0.p2 ships with a component named
???? "NagVis", which is an addon for the network management
???? system "Nagios". When receiving an HTTP POST request for the
???? "userfiles/gadgets/std_table.php" file, the query and body
???? parameters contained within the request are processed by the
???? script. Specifically, the script accepts the "members" body
???? parameter, which is then parsed as a JSON object.

???? The "summary_state" property of the "members" JSON object is
???? reflected into the page response without validation. A POST
???? request containing a malicious "summary_state" value can inject
???? arbitrary JavaScript via the HTML "script" tag into the page
???? response. When rendered in a browser, the attacker controlled
???? JavaScript executes, enabling an attacker to perform actions
???? as the currently logged-in user.

???? The "members" JSON object must be supplied via a POST
???? body parameter, so exploitation of this issue relies
???? on a cross-origin HTTP request originating from an
???? attacker controlled web page. The malicious website
???? (e.g. https://attacker.com/foo.html) can contain an HTML
???? "form" tag with an "action" attribute pointing at the URL
???? for the "std_table.php" script.? Additional JavaScript on the
???? attacker controlled page can automatically submit the form once
???? a user loads the page. The browser will send a POST request
???? cross-origin and redirect the browser to the HTTP response of
???? the POST request, thereby executing the malicious JavaScript
???? on the NagVis web page.

4. Mitigation and Remediation Recommendation

???? This issue has been remediated in Nagvis 1.9.42 and Checkmk
???? 2.3.0p10, both release 2024-07-15.


5. Credit

???? This vulnerability was discovered by Jaggar Henry and Jim
???? Becher of KoreLogic, Inc.


6. Disclosure Timeline

???? 2024-06-11 : KoreLogic reports vulnerability details to Checkmk
????????????????? Security Team.
???? 2024-06-12 : Checkmk acknowledges receipt.
???? 2024-06-21 : Checkmk requests an extension of embargo to
????????????????? 90 business days.
???? 2024-07-15 : Checkmk/NagVis release versions featuring
????????????????? remediation for the reported vulnerability.
????????????????? Checkmk neglects to inform KoreLogic of this event.
???? 2024-11-22 : KoreLogic requests an update from Checkmk but
????????????????? receives no reply.
???? 2025-02-04 : KoreLogic public disclosure.


7. Proof of Concept

???? 1) Serve the following HTML from a web server (e.g. python -m http.server)
???? 2) View the URL serving the file in a web browser:
???????? <html>
????????????? <form method='POST'
action='http://checkmkhost/cmk/nagvis/userfiles/gadgets/std_table.php?object_id=1337&scale=100&opts=show_service_states=foo;group_states=0;&type=dyngroup&object_types=host&state=FL'>
?????????????????? <input type='hidden' name='members'
value='[{"summary_in_downtime":1,"summary_state":"\"><script>eval(window.name)</script>"}]'>
????????????? </form>

????????????? <script>
?????????????????? window.onload = function() {
??????????????????????? window.name = `prompt('KoreLogic')`;
??????????????????????? document.forms[0].submit();
?????????????????? }
????????????? </script>
???????? </html>


The contents of this advisory are copyright(c) 2025
KoreLogic, Inc. and are licensed under a Creative Commons
Attribution Share-Alike 4.0 (United States) License:
http://creativecommons.org/licenses/by-sa/4.0/

KoreLogic, Inc. is a founder-owned and operated company with a
proven track record of providing security services to entities
ranging from Fortune 500 to small and mid-sized companies. We
are a highly skilled team of senior security consultants doing
by-hand security assessments for the most important networks in
the U.S. and around the world. We are also developers of various
tools and resources aimed at helping the security community.
https://www.korelogic.com/about-korelogic.html

Our public vulnerability disclosure policy is available at:
https://korelogic.com/KoreLogic-Public-Vulnerability-Disclosure-Policy
Social Media Share