CVE-2024-45699 — Cross-site Scripting in Zabbix

CWE-79 — Cross-site Scripting5 documents5 sources

Severity

7.5HIGHNVD

EPSS

0.2%

top 56.36%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Zabbix

Timeline

PublishedApr 2

Description

The endpoint /zabbix.php?action=export.valuemaps suffers from a Cross-Site Scripting vulnerability via the backurl parameter. This is caused by the reflection of user-supplied data without appropriate HTML escaping or output encoding. As a result, a JavaScript payload may be injected into the above endpoint causing it to be executed within the context of the victim's browser.

CVSS vector

CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Affected Packages3 packages

▶NVDzabbix/zabbix6.0.0 — 6.0.37+2

▶Debianzabbix/zabbix< 1:5.0.46+dfsg-1+deb11u1+2

▶CVEListV5zabbix/zabbix6.0.0 — 6.0.36+2

🔴Vulnerability Details

CVEList

Reflected XSS vulnerability in /zabbix.php?action=export.valuemaps↗2025-04-02

▶

GHSA

GHSA-xc8w-x6qp-w4p7: The endpoint /zabbix↗2025-04-02

▶

OSV

CVE-2024-45699: The endpoint /zabbix↗2025-04-02

▶

📋Vendor Advisories

Debian

CVE-2024-45699: zabbix - The endpoint /zabbix.php?action=export.valuemaps suffers from a Cross-Site Scrip...↗2024

▶