Reflected XSS in the backurl parameter of Zabbix Frontend
CVE-2022-40626

4.8MEDIUM

Key Information:

Vendor: Zabbix
Status: Frontend
Vendor: CVE Published:; 14 September 2022

What is CVE-2022-40626?

An unauthenticated user can create a link with reflected Javascript code inside the backurl parameter and send it to other authenticated users in order to create a fake account with predefined login, password and role in Zabbix Frontend.

Affected Version(s)

Frontend 6.0.0-6.0.6

Frontend 6.2.0

Frontend 6.0.7rc1

References

https://support.zabbix.com/browse/ZBX-21350

x_refsource_MISC

https://lists.fedoraproject.org/archives/list/package-ann...

vendor-advisoryx_refsource_FEDORA

CVSS V3.1

Score:

4.8

Severity:

MEDIUM

Confidentiality:

High

Integrity:

Low

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

High

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Sep 14, 2022
Vulnerability Reserved
Sep 13, 2022

Credit

internal research