CVE-2023-32725Reliance on Cookies without Validation and Integrity Checking in Frontend

CWE-565Reliance on Cookies without Validation and Integrity Checking4 documents4 sources
Severity
8.8HIGHNVD
CNA9.6
EPSS
0.3%
top 49.75%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
ZabbixZabbix FrontendZabbix Server
Timeline
PublishedDec 18

Description

The website configured in the URL widget will receive a session cookie when testing or executing scheduled reports. The received session cookie can then be used to access the frontend as the particular user.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages4 packages

NVDzabbix/frontend6.0.06.0.21+2
Debianzabbix/zabbix< 1:6.0.23+dfsg-1+1
CVEListV5zabbix/zabbix6.0.0 6.0.21+2
NVDzabbix/zabbix_server6.0.06.0.21+2

🔴Vulnerability Details

2
OSV
CVE-2023-32725: The website configured in the URL widget will receive a session cookie when testing or executing scheduled reports2023-12-18
CVEList
Leak of zbx_session cookie when using a scheduled report that includes a dashboard with a URL widget.2023-12-18

📋Vendor Advisories

1
Debian
CVE-2023-32725: zabbix - The website configured in the URL widget will receive a session cookie when test...2023
CVE-2023-32725 — Zabbix Frontend vulnerability | cvebase