Stored XSS in host groups configuration window in Zabbix Frontend
CVE-2022-23133

6.3MEDIUM

Key Information:

Vendor

Zabbix

Status
Frontend
Vendor
CVE Published:
13 January 2022

What is CVE-2022-23133?

An authenticated user can create a hosts group from the configuration with XSS payload, which will be available for other users. When XSS is stored by an authenticated malicious actor and other users try to search for groups during new host creation, the XSS payload will fire and the actor can steal session cookies and perform session hijacking to impersonate users or take over their accounts.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

Frontend 5.0.0 – 5.0.18

Frontend 5.4.0 – 5.4.8

Frontend 5.0.19 < 5.0.19*

References

https://support.zabbix.com/browse/ZBX-20388
x_refsource_MISC
https://lists.fedoraproject.org/archives/list/package-ann...
vendor-advisoryx_refsource_FEDORA
https://lists.fedoraproject.org/archives/list/package-ann...
vendor-advisoryx_refsource_FEDORA

CVSS V3.1

Score:
6.3
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Zabbix wants to thank Hazem Osama for reporting this issue to us
JSON
.