CVE-2022-35229 — Cross-site Scripting in Zabbix

CWE-79 — Cross-site Scripting7 documents6 sources

Severity

5.4MEDIUMNVD

CNA3.7

EPSS

0.8%

top 25.77%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Zabbix Zabbix Frontend

Timeline

PublishedJul 6

Latest updateApr 25

Description

An authenticated user can create a link with reflected Javascript code inside it for the discovery page and send it to other users. The payload can be executed only with a known CSRF token value of the victim, which is changed periodically and is difficult to predict.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:NExploitability: 2.3 | Impact: 2.7

Affected Packages4 packages

▶NVDzabbix/zabbix5.0.0 — 5.0.25+3

▶Debianzabbix/zabbix< 1:5.0.44+dfsg-1+deb11u1+3

▶Ubuntuzabbix/zabbix< 1:2.2.2+dfsg-1ubuntu1+esm5+4

▶CVEListV5zabbix/frontend4 versions+3

Patches

Patch: support.zabbix.com ↗Patch: support.zabbix.com ↗

🔴Vulnerability Details

OSV

zabbix vulnerabilities↗2024-04-25

▶

GHSA

GHSA-44qv-5wxp-8xqv: An authenticated user can create a link with reflected Javascript code inside it for the discovery page and send it to other users↗2022-07-07

▶

CVEList

Reflected XSS in discovery page of Zabbix Frontend↗2022-07-06

▶

OSV

CVE-2022-35229: An authenticated user can create a link with reflected Javascript code inside it for the discovery page and send it to other users↗2022-07-06

▶

📋Vendor Advisories

Ubuntu

Zabbix vulnerabilities↗2024-04-25

▶

Debian

CVE-2022-35229: zabbix - An authenticated user can create a link with reflected Javascript code inside it...↗2022

▶