CVE-2022-24349
Reflected XSS in action configuration window of Zabbix Frontend
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
An authenticated user can create a link with reflected XSS payload for actions’ pages, and send it to other users. Malicious code has access to all the same objects as the rest of the web page and can make arbitrary modifications to the contents of the page being displayed to a victim. This attack can be implemented with the help of social engineering and expiration of a number of factors - an attacker should have authorized access to the Zabbix Frontend and allowed network connection between a malicious server and victim’s computer, understand attacked infrastructure, be recognized by the victim as a trustee and use trusted communication channel.
Un usuario autenticado puede crear un enlace con carga útil XSS reflejada para las páginas de acciones, y enviarlo a otros usuarios. El código malicioso tiene acceso a todos los mismos objetos que el resto de la página web y puede realizar modificaciones arbitrarias en el contenido de la página que se muestra a la víctima. Este ataque puede ser implementado con la ayuda de la ingeniería social y la expiración de una serie de factores - un atacante debe tener acceso autorizado al Zabbix Frontend y permitir la conexión de red entre un servidor malicioso y el ordenador de la víctima, entender la infraestructura atacada, ser reconocido por la víctima como un administrador y utilizar el canal de comunicación de confianza
CVSS Scores
SSVC
- Decision:-
Timeline
- 2022-02-02 CVE Reserved
- 2022-03-09 CVE Published
- 2024-05-31 EPSS Updated
- 2024-09-16 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CAPEC
References (6)
| URL | Tag | Source |
|---|---|---|
| https://lists.debian.org/debian-lts-announce/2022/04/msg00011.html | Mailing List |
|
| https://lists.debian.org/debian-lts-announce/2023/04/msg00013.html | Mailing List |
|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| https://support.zabbix.com/browse/ZBX-20680 | 2023-11-07 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Zabbix Search vendor "Zabbix" | Frontend Search vendor "Zabbix" for product "Frontend" | >= 4.0.0 <= 4.0.38 Search vendor "Zabbix" for product "Frontend" and version " >= 4.0.0 <= 4.0.38" | - |
Affected
| ||||||
| Zabbix Search vendor "Zabbix" | Frontend Search vendor "Zabbix" for product "Frontend" | >= 5.0.0 <= 5.0.20 Search vendor "Zabbix" for product "Frontend" and version " >= 5.0.0 <= 5.0.20" | - |
Affected
| ||||||
| Zabbix Search vendor "Zabbix" | Frontend Search vendor "Zabbix" for product "Frontend" | >= 5.4.0 <= 5.4.10 Search vendor "Zabbix" for product "Frontend" and version " >= 5.4.0 <= 5.4.10" | - |
Affected
| ||||||
| Zabbix Search vendor "Zabbix" | Frontend Search vendor "Zabbix" for product "Frontend" | 6.0.0 Search vendor "Zabbix" for product "Frontend" and version "6.0.0" | - |
Affected
| ||||||
| Debian Search vendor "Debian" | Debian Linux Search vendor "Debian" for product "Debian Linux" | 9.0 Search vendor "Debian" for product "Debian Linux" and version "9.0" | - |
Affected
| ||||||
| Fedoraproject Search vendor "Fedoraproject" | Fedora Search vendor "Fedoraproject" for product "Fedora" | 34 Search vendor "Fedoraproject" for product "Fedora" and version "34" | - |
Affected
| ||||||
| Fedoraproject Search vendor "Fedoraproject" | Fedora Search vendor "Fedoraproject" for product "Fedora" | 35 Search vendor "Fedoraproject" for product "Fedora" and version "35" | - |
Affected
| ||||||