CVE-2022-35230
Reflected XSS in graphs page of Zabbix Frontend
Severity Score
5.4
*CVSS v3.1
Exploit Likelihood
*EPSS
Affected Versions
*CPE
Public Exploits
0
*Multiple Sources
Exploited in Wild
-
*KEV
Decision
-
*SSVC
Descriptions
An authenticated user can create a link with reflected Javascript code inside it for the graphs page and send it to other users. The payload can be executed only with a known CSRF token value of the victim, which is changed periodically and is difficult to predict.
Un usuario autenticado puede crear un enlace con código Javascript reflejado en su interior para la página de gráficos y enviarlo a otros usuarios. La carga útil sólo puede ejecutarse con un valor conocido del token CSRF de la víctima, que es cambiado periódicamente y es difícil de predecir
*Credits:
internal research
CVSS Scores
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Attack Vector
Attack Complexity
Authentication
Confidentiality
Integrity
Availability
* Common Vulnerability Scoring System
SSVC
- Decision:-
Exploitation
Automatable
Tech. Impact
* Organization's Worst-case Scenario
Timeline
- 2022-07-05 CVE Reserved
- 2022-07-06 CVE Published
- 2024-01-27 EPSS Updated
- 2024-09-16 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CAPEC
References (2)
| URL | Tag | Source |
|---|---|---|
| https://lists.debian.org/debian-lts-announce/2023/04/msg00013.html | Mailing List |
|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| https://support.zabbix.com/browse/ZBX-21305 | 2023-04-12 |
| URL | Date | SRC |
|---|
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Zabbix Search vendor "Zabbix" | Zabbix Search vendor "Zabbix" for product "Zabbix" | < 5.0.25 Search vendor "Zabbix" for product "Zabbix" and version " < 5.0.25" | - |
Affected
| ||||||
| Zabbix Search vendor "Zabbix" | Zabbix Search vendor "Zabbix" for product "Zabbix" | 5.0.25 Search vendor "Zabbix" for product "Zabbix" and version "5.0.25" | - |
Affected
| ||||||
| Zabbix Search vendor "Zabbix" | Zabbix Search vendor "Zabbix" for product "Zabbix" | 5.0.25 Search vendor "Zabbix" for product "Zabbix" and version "5.0.25" | rc1 |
Affected
| ||||||