Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2022-23133

An authenticated user can create a hosts group from the configuration with XSS payload, which will be available for other users. When XSS is stored by an authenticated malicious actor and other users try to search for groups during new host creation, the XSS payload will fire and the actor can steal session cookies and perform session hijacking to impersonate users or take over their accounts.

Published

2022-01-13T16:15:08.170

Last Modified

2024-11-21T06:48:04.183

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 6.3 (MEDIUM)

CVSSv2 Vector

AV:N/AC:M/Au:S/C:N/I:P/A:N

  • Access Vector: NETWORK
  • Access Complexity: MEDIUM
  • Authentication: SINGLE
  • Confidentiality Impact: NONE
  • Integrity Impact: PARTIAL
  • Availability Impact: NONE
Exploitability Score

6.8

Impact Score

2.9

Weaknesses
  • Type: Secondary
    CWE-79
  • Type: Primary
    CWE-79
Affected Vendors & Products
Type Vendor Product Version/Range Vulnerable?
Application zabbix zabbix ≤ 5.0.18 Yes
Application zabbix zabbix ≤ 5.4.8 Yes
Application zabbix zabbix 6.0.0 Yes
Operating System fedoraproject fedora 34 Yes
Operating System fedoraproject fedora 35 Yes
References