CVE-2022-35230Cross-site Scripting in Zabbix

CWE-79Cross-site Scripting7 documents6 sources
Severity
5.4MEDIUMNVD
CNA3.7
EPSS
0.9%
top 24.69%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
ZabbixZabbix Frontend
Timeline
PublishedJul 6
Latest updateApr 25

Description

An authenticated user can create a link with reflected Javascript code inside it for the graphs page and send it to other users. The payload can be executed only with a known CSRF token value of the victim, which is changed periodically and is difficult to predict.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:NExploitability: 2.3 | Impact: 2.7

Affected Packages4 packages

NVDzabbix/zabbix< 5.0.25+1
Debianzabbix/zabbix< 1:5.0.44+dfsg-1+deb11u1+3
Ubuntuzabbix/zabbix< 1:2.2.2+dfsg-1ubuntu1+esm5+4
CVEListV5zabbix/frontend4.0.0-4.0.42, 5.0.0-5.0.24+1

Patches

Patch: support.zabbix.comPatch: support.zabbix.com

🔴Vulnerability Details

4
OSV
zabbix vulnerabilities2024-04-25
GHSA
GHSA-6f4g-hm4f-cqp3: An authenticated user can create a link with reflected Javascript code inside it for the graphs page and send it to other users2022-07-07
OSV
CVE-2022-35230: An authenticated user can create a link with reflected Javascript code inside it for the graphs page and send it to other users2022-07-06
CVEList
Reflected XSS in graphs page of Zabbix Frontend2022-07-06

📋Vendor Advisories

2
Ubuntu
Zabbix vulnerabilities2024-04-25
Debian
CVE-2022-35230: zabbix - An authenticated user can create a link with reflected Javascript code inside it...2022
CVE-2022-35230 — Cross-site Scripting in Zabbix | cvebase