CVE-2023-29452 — Improper Input Validation in Zabbix

CWE-20 — Improper Input Validation CWE-79 — Cross-site Scripting4 documents4 sources

Severity

5.4MEDIUMNVD

EPSS

2.0%

top 16.42%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Zabbix Debian Zabbix

Timeline

PublishedJul 13

Description

Currently, geomap configuration (Administration -> General -> Geographical maps) allows using HTML in the field “Attribution text” when selected “Other” Tile provider.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:NExploitability: 2.3 | Impact: 2.7

Affected Packages4 packages

▶debiandebian/zabbix< zabbix 1:6.0.23+dfsg-1 (forky)

▶Debianzabbix/zabbix< 1:6.0.23+dfsg-1+1

▶CVEListV5zabbix/zabbix6.4.0 — 6.4.2+1

▶NVDzabbix/zabbix6.0.0 — 6.0.17+2

🔴Vulnerability Details

GHSA

GHSA-3r46-m7qj-9cf6: Currently, geomap configuration (Administration -> General -> Geographical maps) allows using HTML in the field “Attribution text” when selected “Othe↗2023-07-13

▶

OSV

CVE-2023-29452: Currently, geomap configuration (Administration -> General -> Geographical maps) allows using HTML in the field “Attribution text” when selected “Othe↗2023-07-13

▶

📋Vendor Advisories

Debian

CVE-2023-29452: zabbix - Currently, geomap configuration (Administration -> General -> Geographical maps)...↗2023

▶