NotCVE - vendor:"Zabbix"

Page 8 of 88 results (0.007 seconds)

CVSS: 4.4EPSS: 0%CPEs: 6EXPL: 0

CVE-2022-24918 – Reflected XSS in item configuration window of Zabbix Frontend

https://notcve.org/view.php?id=CVE-2022-24918

An authenticated user can create a link with reflected Javascript code inside it for items’ page and send it to other users. The payload can be executed only with a known CSRF token value of the victim, which is changed periodically and is difficult to predict. Malicious code has access to all the same objects as the rest of the web page and can make arbitrary modifications to the contents of the page being displayed to a victim during social engineering attacks. Un usuario autenticado puede crear un enlace con código Javascript reflejado en su interior para la página de artículos y enviarlo a otros usuarios. La carga útil sólo puede ejecutarse con un valor de token CSRF conocido de la víctima, que se cambia periódicamente y es difícil de predecir. • https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2V4N22R3QVTYAJMWFK2U2O6QXAZYM35Z https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QWP6UBFA5T6MOQPY2VDUG5YAJBFPYRFF https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SWDZONUHDYKBXTAIAGHSYQDEGORD2QT7 https://support.zabbix.com/browse/ZBX-20680 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 4.4EPSS: 0%CPEs: 8EXPL: 0

CVE-2022-24917 – Reflected XSS in service configuration window of Zabbix Frontend

https://notcve.org/view.php?id=CVE-2022-24917

An authenticated user can create a link with reflected Javascript code inside it for services’ page and send it to other users. The payload can be executed only with a known CSRF token value of the victim, which is changed periodically and is difficult to predict. Malicious code has access to all the same objects as the rest of the web page and can make arbitrary modifications to the contents of the page being displayed to a victim during social engineering attacks. Un usuario autenticado puede crear un enlace con código Javascript reflejado en su interior para la página de servicios y enviarlo a otros usuarios. La carga útil sólo puede ejecutarse con un valor de token CSRF conocido de la víctima, que se cambia periódicamente y es difícil de predecir. • https://lists.debian.org/debian-lts-announce/2022/04/msg00011.html https://lists.debian.org/debian-lts-announce/2023/04/msg00013.html https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2V4N22R3QVTYAJMWFK2U2O6QXAZYM35Z https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QWP6UBFA5T6MOQPY2VDUG5YAJBFPYRFF https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SWDZONUHDYKBXTAIAGHSYQDEGORD2QT7 https://support.zabbix.com/brows • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 4.6EPSS: 0%CPEs: 7EXPL: 0

CVE-2022-24349 – Reflected XSS in action configuration window of Zabbix Frontend

https://notcve.org/view.php?id=CVE-2022-24349

An authenticated user can create a link with reflected XSS payload for actions’ pages, and send it to other users. Malicious code has access to all the same objects as the rest of the web page and can make arbitrary modifications to the contents of the page being displayed to a victim. This attack can be implemented with the help of social engineering and expiration of a number of factors - an attacker should have authorized access to the Zabbix Frontend and allowed network connection between a malicious server and victim’s computer, understand attacked infrastructure, be recognized by the victim as a trustee and use trusted communication channel. Un usuario autenticado puede crear un enlace con carga útil XSS reflejada para las páginas de acciones, y enviarlo a otros usuarios. El código malicioso tiene acceso a todos los mismos objetos que el resto de la página web y puede realizar modificaciones arbitrarias en el contenido de la página que se muestra a la víctima. • https://lists.debian.org/debian-lts-announce/2022/04/msg00011.html https://lists.debian.org/debian-lts-announce/2023/04/msg00013.html https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2V4N22R3QVTYAJMWFK2U2O6QXAZYM35Z https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QWP6UBFA5T6MOQPY2VDUG5YAJBFPYRFF https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SWDZONUHDYKBXTAIAGHSYQDEGORD2QT7 https://support.zabbix.com/brows • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 7.2EPSS: 0%CPEs: 4EXPL: 1

CVE-2021-46088

https://notcve.org/view.php?id=CVE-2021-46088

Zabbix 4.0 LTS, 4.2, 4.4, and 5.0 LTS is vulnerable to Remote Code Execution (RCE). Any user with the "Zabbix Admin" role is able to run custom shell script on the application server in the context of the application user. Zabbix versiones 4.0 LTS, 4.2, 4.4 y 5.0 LTS, es vulnerable a una ejecución de código remota (RCE). Cualquier usuario con el rol "Zabbix Admin" es capaz de ejecutar un script shell personalizado en el servidor de aplicaciones en el contexto del usuario de la aplicación • https://github.com/paalbra/zabbix-zbxsec-7 •

CVSS: 5.3EPSS: 65%CPEs: 12EXPL: 0

CVE-2022-23134 – Zabbix Frontend Improper Access Control Vulnerability

https://notcve.org/view.php?id=CVE-2022-23134

After the initial setup process, some steps of setup.php file are reachable not only by super-administrators, but by unauthenticated users as well. Malicious actor can pass step checks and potentially change the configuration of Zabbix Frontend. Después del proceso de configuración inicial, algunos pasos del archivo setup.php son accesibles no sólo para los superadministradores, sino también para los usuarios no autenticados. Un actor malicioso puede pasar las comprobaciones de los pasos y potencialmente cambiar la configuración de Zabbix Frontend Malicious actors can pass step checks and potentially change the configuration of Zabbix Frontend. • https://lists.debian.org/debian-lts-announce/2022/02/msg00008.html https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6SZYHXINBKCY42ITFSNCYE7KCSF33VRA https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VB6W556GVXOKUYTASTDGL3AI7S3SJHX7 https://support.zabbix.com/browse/ZBX-20384 • CWE-284: Improper Access Control CWE-287: Improper Authentication •

1...6 7 8 9 10