Cross-Site Scripting Vulnerability in Zabbix by Zabbix SIA
CVE-2024-45699

7.5HIGH

Key Information:

Vendor: Zabbix
Status: Zabbix
Vendor: CVE Published:; 2 April 2025

What is CVE-2024-45699?

The Zabbix platform contains a vulnerability in the endpoint /zabbix.php?action=export.valuemaps, which is susceptible to Cross-Site Scripting. This issue arises due to the improper handling of user-provided input, specifically the backurl parameter, allowing attackers to inject malicious JavaScript code. When exploited, this vulnerability could execute the injected script within the victim's browser, posing a significant risk of unauthorized actions or data exposure.

Affected Version(s)

Zabbix 6.0.0 <= 6.0.36

Zabbix 6.4.0 <= 6.4.20

Zabbix 7.0.0 <= 7.0.6

References

https://support.zabbix.com/browse/ZBX-26254

CVSS V4

Score:

7.5

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 2, 2025
Vulnerability Reserved
Sep 5, 2024

Credit

Zabbix wants to thank ginoah for submitting this report on the HackerOne bug bounty platform