[ZBX-24070] Stored XSS in graph items select form (CVE-2024-22119) Created: 2023 Nov 22  Updated: 2024 Apr 10  Resolved: 2023 Nov 24

Status: Closed
Project: ZABBIX BUGS AND ISSUES
Component/s: Frontend (F)
Affects Version/s: None
Fix Version/s: 5.0.42rc1, 7.0 (plan)

Type: Defect (Security) Priority: Blocker
Reporter: Sergejs Maklakovs Assignee: Elina Pulke
Resolution: Fixed Votes: 0
Labels: graph, items, xss
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Attachments: PNG File image-2023-11-22-12-09-52-393.png     PNG File image-2023-11-22-12-10-40-172.png    
Issue Links:
Duplicate
Team: Team C
Story Points: 1

 Description   

Can be reproduced on - 5.0, 6.0, 6.4, master.

Steps to reproduce:
1) Create item with name - <img src="x" onerror="alert('UWAGA');"/>
2) Create graph and add created item to items list.
3) Save graph.
4) Open created graph again and click on added item.

5) Then click on its name.

Result:

Expected:
No alarm message.



 Comments   
Comment by Elina Pulke [ 2023 Nov 22 ]

Fixed in development branch feature/DEV-2734-5.0.

Comment by Elina Pulke [ 2023 Nov 23 ]

Fixed in development branches:

Comment by Elina Pulke [ 2023 Nov 23 ]

Fixed in:

Comment by Maris Melnikovs (Inactive) [ 2023 Nov 30 ]
Mitre ID CVE-2024-22119
CVSS score 5.5
CVSS vector https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L
Severity Medium
Summary Stored XSS in graph items select form
Description The cause of vulnerability is improper validation of input field called Name on Graph page in Items section.
Common Weakness Enumeration (CWE) CWE-20 Improper Input Validation
Common Attack Pattern Enumeration and Classification (CAPEC) CAPEC-592 Stored XSS
Known attack vectors Malicious code can be entered into Graph items Name field and can be executed when user clicks on current graph item name link.
Details Steps to reproduce:
1) Create item with name - <img src="x" onerror="alert('UWAGA');"/>
2) Create graph and add created item to items list.
3) Save graph.
4) Open created graph again and click on added item.
Scope of changes (mini spec for internal use) The additional string conversion function htmlspecialchars() was added that will convert special characters to HTML entities.
Patch provided  No
Component/s Frontend
Affected and fixed version/s 5.0.0 - 5.0.39 / 5.0.40rc1
6.0.0 - 6.0.23 / 6.0.24rc1
6.4.0 - 6.4.8 / 6.4.9rc1
7.0.0alpha1 - 7.0.0alpha7 / 7.0.0alpha8
Fix compatibility tests -
Resolution Fixed
Workarounds -
Acknowledgements -
Generated at Tue Mar 18 11:08:31 EET 2025 using Jira 9.12.4#9120004-sha1:625303b708afdb767e17cb2838290c41888e9ff0.