CVSS: 10.0EPSS: 0%CPEs: 10EXPL: 0CVE-2023-32725 – Leak of zbx_session cookie when using a scheduled report that includes a dashboard with a URL widget.
https://notcve.org/view.php?id=CVE-2023-32725
18 Dec 2023 — The website configured in the URL widget will receive a session cookie when testing or executing scheduled reports. The received session cookie can then be used to access the frontend as the particular user. El sitio web configurado en el widget de la URL recibirá una cookie de sesión al probar o ejecutar informes programados. La cookie de sesión recibida se puede utilizar para acceder a la interfaz como usuario particular. • https://support.zabbix.com/browse/ZBX-23854 • CWE-565: Reliance on Cookies without Validation and Integrity Checking •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2023-30958 – DOM XSS in Developer mode dashboard via redirect GET parameter
https://notcve.org/view.php?id=CVE-2023-30958
03 Aug 2023 — A security defect was identified in Foundry Frontend that enabled users to potentially conduct DOM XSS attacks if Foundry's CSP were to be bypassed. This defect was resolved with the release of Foundry Frontend 6.225.0. • https://palantir.safebase.us/?tcuUid=5764b094-d3c0-4380-90f2-234f36116c9b • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-83: Improper Neutralization of Script in Attributes in a Web Page •
CVSS: 6.4EPSS: 0%CPEs: 3EXPL: 0CVE-2023-29457 – Insufficient validation of Action form input fields
https://notcve.org/view.php?id=CVE-2023-29457
13 Jul 2023 — Reflected XSS attacks, occur when a malicious script is reflected off a web application to the victim's browser. The script can be activated through Action form fields, which can be sent as request to a website with a vulnerability that enables execution of malicious scripts. • https://lists.debian.org/debian-lts-announce/2023/08/msg00027.html • CWE-20: Improper Input Validation CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.7EPSS: 0%CPEs: 4EXPL: 0CVE-2023-29456 – Inefficient URL schema validation
https://notcve.org/view.php?id=CVE-2023-29456
13 Jul 2023 — URL validation scheme receives input from a user and then parses it to identify its various components. The validation scheme can ensure that all URL components comply with internet standards. • https://lists.debian.org/debian-lts-announce/2023/08/msg00027.html • CWE-20: Improper Input Validation CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.4EPSS: 0%CPEs: 2EXPL: 0CVE-2023-29455 – Reflected XSS in several fields of graph form
https://notcve.org/view.php?id=CVE-2023-29455
13 Jul 2023 — Reflected XSS attacks, also known as non-persistent attacks, occur when a malicious script is reflected off a web application to the victim's browser. The script is activated through a link, which sends a request to a website with a vulnerability that enables execution of malicious scripts. • https://lists.debian.org/debian-lts-announce/2023/08/msg00027.html • CWE-20: Improper Input Validation CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.5EPSS: 0%CPEs: 3EXPL: 0CVE-2023-29454 – Persistent XSS in the user form
https://notcve.org/view.php?id=CVE-2023-29454
13 Jul 2023 — Stored or persistent cross-site scripting (XSS) is a type of XSS where the attacker first sends the payload to the web application, then the application saves the payload (e.g., in a database or server-side text files), and finally, the application unintentionally executes the payload for every victim visiting its web pages. • https://lists.debian.org/debian-lts-announce/2023/08/msg00027.html • CWE-20: Improper Input Validation CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 10.0EPSS: 0%CPEs: 7EXPL: 1CVE-2022-43515 – X-Forwarded-For header is active by default causes access to Zabbix sites in maintenance mode
https://notcve.org/view.php?id=CVE-2022-43515
05 Dec 2022 — Zabbix Frontend provides a feature that allows admins to maintain the installation and ensure that only certain IP addresses can access it. In this way, any user will not be able to access the Zabbix Frontend while it is being maintained and possible sensitive data will be prevented from being disclosed. An attacker can bypass this protection and access the instance using IP address not listed in the defined range. • https://lists.debian.org/debian-lts-announce/2023/08/msg00027.html • CWE-20: Improper Input Validation CWE-863: Incorrect Authorization •
CVSS: 4.4EPSS: 0%CPEs: 8EXPL: 0CVE-2022-24919 – Reflected XSS in graph configuration window of Zabbix Frontend
https://notcve.org/view.php?id=CVE-2022-24919
09 Mar 2022 — An authenticated user can create a link with reflected Javascript code inside it for graphs’ page and send it to other users. The payload can be executed only with a known CSRF token value of the victim, which is changed periodically and is difficult to predict. Malicious code has access to all the same objects as the rest of the web page and can make arbitrary modifications to the contents of the page being displayed to a victim during social engineering attacks. Un usuario autenticado puede crear un enlac... • https://lists.debian.org/debian-lts-announce/2022/04/msg00011.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.4EPSS: 0%CPEs: 6EXPL: 0CVE-2022-24918 – Reflected XSS in item configuration window of Zabbix Frontend
https://notcve.org/view.php?id=CVE-2022-24918
09 Mar 2022 — An authenticated user can create a link with reflected Javascript code inside it for items’ page and send it to other users. The payload can be executed only with a known CSRF token value of the victim, which is changed periodically and is difficult to predict. Malicious code has access to all the same objects as the rest of the web page and can make arbitrary modifications to the contents of the page being displayed to a victim during social engineering attacks. Un usuario autenticado puede crear un enlace... • https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2V4N22R3QVTYAJMWFK2U2O6QXAZYM35Z • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.4EPSS: 0%CPEs: 8EXPL: 0CVE-2022-24917 – Reflected XSS in service configuration window of Zabbix Frontend
https://notcve.org/view.php?id=CVE-2022-24917
09 Mar 2022 — An authenticated user can create a link with reflected Javascript code inside it for services’ page and send it to other users. The payload can be executed only with a known CSRF token value of the victim, which is changed periodically and is difficult to predict. Malicious code has access to all the same objects as the rest of the web page and can make arbitrary modifications to the contents of the page being displayed to a victim during social engineering attacks. Un usuario autenticado puede crear un enl... • https://lists.debian.org/debian-lts-announce/2022/04/msg00011.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •