Uploaded image for project: 'ZABBIX BUGS AND ISSUES'
  1. ZABBIX BUGS AND ISSUES
  2. ZBX-20388

Stored XSS in host groups configuration window in Zabbix Frontend (CVE-2022-23133)

XMLWordPrintable

    • Team C
    • Sprint 83 (Dec 2021)
    • 1

      CVE number CVE-2022-23133
      CVSS score 6.3
      Severity Medium
      Description An authenticated user can create a hosts group from the configuration with XSS payload, which will be available for other users. 
      Known attack vectors When XSS is stored by an authenticated malicious actor and other users try to search for groups during new host creation, the XSS payload will fire and the actor can steal session cookies and perform session hijacking to impersonate users or take over their accounts.
      Resolution To remediate this vulnerability, apply the updates listed in the 'Fixed Version' section to appropriate products.
      Acknowledgements Zabbix wants to thank Hazem Osama for reporting this issue to us
      Affected versions 5.0.0 – 5.0.18
      5.4.0 – 5.4.8
      6.0.0alpha1
      Workarounds -

            agriscenko Andrejs Griščenko
            sasha Alexander Vladishev
            Team C
            Votes:
            0 Vote for this issue
            Watchers:
            6 Start watching this issue

              Created:
              Updated:
              Resolved: