CVE-2022-23133

EUVD-2022-28224
An authenticated user can create a hosts group from the configuration with XSS payload, which will be available for other users. When XSS is stored by an authenticated malicious actor and other users try to search for groups during new host creation, the XSS payload will fire and the actor can steal session cookies and perform session hijacking to impersonate users or take over their accounts.
Cross-site Scripting
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
6.3 MEDIUM
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
ZabbixCNA
6.3 MEDIUM
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
Base Score
CVSS 3.x
EPSS Score
Percentile: 76%
Affected Products (NVD)
VendorProductVersion
zabbixzabbix
5.0.0 ≤
𝑥
≤ 5.0.18
zabbixzabbix
5.4.0 ≤
𝑥
≤ 5.4.8
zabbixzabbix
6.0.0:alpha1
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
zabbix
bookworm
1:6.0.14+dfsg-1
fixed
bullseye
vulnerable
bullseye (security)
1:5.0.44+dfsg-1+deb11u1
fixed
buster
not-affected
sid
1:7.0.5+dfsg-1
fixed
stretch
not-affected
trixie
1:7.0.3+dfsg-1
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
zabbix
bionic
not-affected
focal
not-affected
hirsute
ignored
impish
ignored
jammy
needed
kinetic
ignored
lunar
ignored
mantic
not-affected
noble
dne
trusty
not-affected
xenial
not-affected
Common Weakness Enumeration
References
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6SZYHXINBKCY42ITFSNCYE7KCSF33VRA/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VB6W556GVXOKUYTASTDGL3AI7S3SJHX7/
https://support.zabbix.com/browse/ZBX-20388
https://lists.debian.org/debian-lts-announce/2024/10/msg00000.html
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6SZYHXINBKCY42ITFSNCYE7KCSF33VRA/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VB6W556GVXOKUYTASTDGL3AI7S3SJHX7/
https://support.zabbix.com/browse/ZBX-20388