Public exploit available

Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2020-15803

CWE-79 — Cross-site Scripting (XSS)9 documents8 sources

Severity

6.1MEDIUM

EPSS

2.3%

top 15.25%

CISA KEV

Not in KEV

Exploit

PoC available

Public exploit / PoC exists

Affected products

Zabbix Zabbix Debian Debian Linux Fedoraproject Fedora +2 more

Timeline

PublishedJul 17

Latest updateJun 15

Description

Zabbix before 3.0.32rc1, 4.x before 4.0.22rc1, 4.1.x through 4.4.x before 4.4.10rc1, and 5.x before 5.0.2rc1 allows stored XSS in the URL Widget.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages4 packages

▶Debianzabbix< 1:5.0.2+dfsg-1+3

▶NVDzabbix/zabbix4.0.0 — 4.0.21+7

▶NVDopensuse/leap15.1, 15.2+1

▶NVDopensuse/backportssle-15

Also affects: Debian Linux 9.0, Fedora 31, 32

Patches

Patch: support.zabbix.com ↗Patch: support.zabbix.com ↗

🔴Vulnerability Details

GHSA

GHSA-79cm-2gxq-7x9r: Zabbix before 3↗2022-05-24

▶

CVEList

CVE-2020-15803: Zabbix before 3↗2020-07-17

▶

OSV

CVE-2020-15803: Zabbix before 3↗2020-07-17

▶

💥Exploits & PoCs

Exploit-DB

Zabbix 5.0.0 - Stored XSS via URL Widget Iframe↗2020-12-04

▶

📋Vendor Advisories

Ubuntu

Zabbix vulnerabilities↗2022-06-15

▶

Debian

CVE-2020-15803: zabbix - Zabbix before 3.0.32rc1, 4.x before 4.0.22rc1, 4.1.x through 4.4.x before 4.4.10...↗2020

▶

💬Community

Bugzilla

CVE-2020-15803 zabbix: stored XSS in the URL Widget↗2020-07-17

▶

Bugzilla

CVE-2020-15803 zabbix: stored XSS in the URL Widget [fedora-all]↗2020-07-17

▶