CVE-2022-23133 — Cross-site Scripting in Zabbix

CWE-79 — Cross-site Scripting5 documents5 sources

Severity

5.4MEDIUMNVD

CNA6.3

EPSS

1.0%

top 23.43%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Zabbix Zabbix Frontend Fedoraproject Fedora

Timeline

PublishedJan 13

Latest updateJan 14

Description

An authenticated user can create a hosts group from the configuration with XSS payload, which will be available for other users. When XSS is stored by an authenticated malicious actor and other users try to search for groups during new host creation, the XSS payload will fire and the actor can steal session cookies and perform session hijacking to impersonate users or take over their accounts.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:NExploitability: 2.3 | Impact: 2.7

Affected Packages3 packages

▶Debianzabbix/zabbix< 1:5.0.44+dfsg-1+deb11u1+3

▶NVDzabbix/zabbix5.0.0 — 5.0.18+2

▶CVEListV5zabbix/frontend5.0.0 – 5.0.18, 5.4.0 – 5.4.8+1

Also affects: Fedora 34, 35

Patches

Patch: support.zabbix.com ↗Patch: support.zabbix.com ↗

🔴Vulnerability Details

GHSA

GHSA-2r84-x97c-3ch4: An authenticated user can create a hosts group from the configuration with XSS payload, which will be available for other users↗2022-01-14

▶

CVEList

Stored XSS in host groups configuration window in Zabbix Frontend↗2022-01-13

▶

OSV

CVE-2022-23133: An authenticated user can create a hosts group from the configuration with XSS payload, which will be available for other users↗2022-01-13

▶

📋Vendor Advisories

Debian

CVE-2022-23133: zabbix - An authenticated user can create a hosts group from the configuration with XSS p...↗2022

▶