Reflected XSS in graphs page of Zabbix Frontend
CVE-2022-35230

3.7LOW

Key Information:

Vendor: Zabbix
Status: Frontend
Vendor: CVE Published:; 6 July 2022

What is CVE-2022-35230?

An authenticated user can create a link with reflected Javascript code inside it for the graphs page and send it to other users. The payload can be executed only with a known CSRF token value of the victim, which is changed periodically and is difficult to predict.

Affected Version(s)

Frontend 4.0.0-4.0.42

Frontend 5.0.0-5.0.24

References

https://support.zabbix.com/browse/ZBX-21305

https://lists.debian.org/debian-lts-announce/2023/04/msg0...

mailing-list

CVSS V3.1

Score:

3.7

Severity:

LOW

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

Low

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jul 6, 2022
Vulnerability Reserved
Jul 5, 2022

Credit

internal research