Stored XSS in host groups configuration window in Zabbix Frontend
CVE-2022-23133

6.3MEDIUM

Key Information:

Vendor: Zabbix
Status: Frontend
Vendor: CVE Published:; 13 January 2022

🔔 Create Zabbix Vulnerability Alert

What is CVE-2022-23133?

An authenticated user can create a hosts group from the configuration with XSS payload, which will be available for other users. When XSS is stored by an authenticated malicious actor and other users try to search for groups during new host creation, the XSS payload will fire and the actor can steal session cookies and perform session hijacking to impersonate users or take over their accounts.

Affected Version(s)

Frontend 5.0.0 – 5.0.18

Frontend 5.4.0 – 5.4.8

Frontend 5.0.19 < 5.0.19*

References

https://support.zabbix.com/browse/ZBX-20388

x_refsource_MISC

https://lists.fedoraproject.org/archives/list/package-ann...

vendor-advisoryx_refsource_FEDORA

https://lists.fedoraproject.org/archives/list/package-ann...

vendor-advisoryx_refsource_FEDORA

CVSS V3.1

Score:

6.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jan 13, 2022
Vulnerability Reserved
Jan 11, 2022

Credit

Zabbix wants to thank Hazem Osama for reporting this issue to us

.

The Cyber Security Vulnerability Database.