Uploaded image for project: 'ZABBIX BUGS AND ISSUES'
  1. ZABBIX BUGS AND ISSUES
  2. ZBX-20388

Stored XSS in host groups configuration window in Zabbix Frontend (CVE-2022-23133)

    XMLWordPrintable

Details

    • Team C
    • Sprint 83 (Dec 2021)
    • 1

    Description

      CVE number CVE-2022-23133
      CVSS score 6.3
      Severity Medium
      Description An authenticated user can create a hosts group from the configuration with XSS payload, which will be available for other users. 
      Known attack vectors When XSS is stored by an authenticated malicious actor and other users try to search for groups during new host creation, the XSS payload will fire and the actor can steal session cookies and perform session hijacking to impersonate users or take over their accounts.
      Resolution To remediate this vulnerability, apply the updates listed in the 'Fixed Version' section to appropriate products.
      Acknowledgements Zabbix wants to thank Hazem Osama for reporting this issue to us
      Affected versions 5.0.0 – 5.0.18
      5.4.0 – 5.4.8
      6.0.0alpha1
      Workarounds -

      Attachments

        Activity

          People

            agriscenko Andrejs Griščenko
            sasha Alexander Vladishev
            Votes:
            0 Vote for this issue
            Watchers:
            6 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: