CVE-2022-24349 – Reflected XSS in action configuration window of Zabbix Frontend

https://notcve.org/view.php?id=CVE-2022-24349

An authenticated user can create a link with reflected XSS payload for actions’ pages, and send it to other users. Malicious code has access to all the same objects as the rest of the web page and can make arbitrary modifications to the contents of the page being displayed to a victim. This attack can be implemented with the help of social engineering and expiration of a number of factors - an attacker should have authorized access to the Zabbix Frontend and allowed network connection between a malicious server and victim’s computer, understand attacked infrastructure, be recognized by the victim as a trustee and use trusted communication channel. Un usuario autenticado puede crear un enlace con carga útil XSS reflejada para las páginas de acciones, y enviarlo a otros usuarios. El código malicioso tiene acceso a todos los mismos objetos que el resto de la página web y puede realizar modificaciones arbitrarias en el contenido de la página que se muestra a la víctima. • https://lists.debian.org/debian-lts-announce/2022/04/msg00011.html https://lists.debian.org/debian-lts-announce/2023/04/msg00013.html https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2V4N22R3QVTYAJMWFK2U2O6QXAZYM35Z https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QWP6UBFA5T6MOQPY2VDUG5YAJBFPYRFF https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SWDZONUHDYKBXTAIAGHSYQDEGORD2QT7 https://support.zabbix.com/brows • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •