17094 SEC Fix XSS on SAML login screen

Escape links on the saml2 login error message, which is passed via the URL CMK-18240 Change-Id: Id3903d8bb13c28ae59d03b5ccc68c4cba2c27bfb
Checkmk · Sep 17, 2024 · b765e39 · b765e39
1 parent 371de1d
commit b765e39
Show file tree

Hide file tree

Showing 2 changed files with 32 additions and 1 deletion.
diff --git a/.werks/17094.md b/.werks/17094.md
@@ -0,0 +1,28 @@
+[//]: # (werk v2)
+# Fix XSS on SAML login screen
+
+key        | value
+---------- | ---
+date       | 2024-09-05T15:23:53+00:00
+version    | 2.3.0p16
+class      | security
+edition    | cee
+component  | wato
+level      | 1
+compatible | yes
+
+Prior to Werk, attackers could craft URLs that rendered clickable HTML links in the error box on the SAML login page.
+This could facilitate phishing attacks by tricking users into clicking malicious links.
+
+Links in the error message are now escaped and no longer clickable.
+
+This issue was identified during internal review.
+
+*Affected Versions*:
+
+* 2.3.0
+* 2.2.0
+
+*Vulnerability Management*:
+
+We have rated the issue with a CVSS Score of 5.1 Medium (`CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N`) and assigned `CVE-2024-38860`.
diff --git a/cmk/gui/utils/login.py b/cmk/gui/utils/login.py
@@ -11,6 +11,7 @@
 from cmk.gui.http import request
 from cmk.gui.i18n import _
 from cmk.gui.userdb.type_defs import RelayState
+from cmk.gui.utils.escaping import escape_text
 from cmk.gui.utils.urls import makeuri_contextless
 from cmk.gui.utils.user_errors import user_errors
 
@@ -35,7 +36,9 @@ def show_saml2_login(
         saml_css_class = []
         html.close_div()
         if (
-            saml2_user_error := request.get_str_input("_saml2_user_error")
+            saml2_user_error := escape_text(
+                request.get_str_input("_saml2_user_error"), escape_links=True
+            )
         ) and request.get_str_input("_connection_id") == connection["id"]:
             user_errors.add(
                 MKUserError(