Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2022-24349

An authenticated user can create a link with reflected XSS payload for actions’ pages, and send it to other users. Malicious code has access to all the same objects as the rest of the web page and can make arbitrary modifications to the contents of the page being displayed to a victim. This attack can be implemented with the help of social engineering and expiration of a number of factors - an attacker should have authorized access to the Zabbix Frontend and allowed network connection between a malicious server and victim’s computer, understand attacked infrastructure, be recognized by the victim as a trustee and use trusted communication channel.

Published

2022-03-09T20:15:08.563

Last Modified

2024-11-21T06:50:13.607

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 4.6 (MEDIUM)

CVSSv2 Vector

AV:N/AC:H/Au:S/C:N/I:P/A:N

Access Vector: NETWORK
Access Complexity: HIGH
Authentication: SINGLE
Confidentiality Impact: NONE
Integrity Impact: PARTIAL
Availability Impact: NONE

Exploitability Score

3.9

Impact Score

2.9

Weaknesses

Type: Secondary
CWE-79
Type: Primary
CWE-79

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	zabbix	frontend	≤ 4.0.38	Yes
Application	zabbix	frontend	≤ 5.0.20	Yes
Application	zabbix	frontend	≤ 5.4.10	Yes
Application	zabbix	frontend	6.0.0	Yes
Operating System	debian	debian_linux	9.0	Yes
Operating System	fedoraproject	fedora	34	Yes
Operating System	fedoraproject	fedora	35	Yes

References

https://lists.debian.org/debian-lts-announce/2022/04/msg00011.html Third Party Advisory ([email protected])
https://lists.debian.org/debian-lts-announce/2023/04/msg00013.html ([email protected])
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2V4N22R3QVTYAJMWFK2U2O6QXAZYM35Z/ ([email protected])
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QWP6UBFA5T6MOQPY2VDUG5YAJBFPYRFF/ ([email protected])
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SWDZONUHDYKBXTAIAGHSYQDEGORD2QT7/ ([email protected])
https://support.zabbix.com/browse/ZBX-20680 Issue Tracking, Patch, Vendor Advisory ([email protected])
https://lists.debian.org/debian-lts-announce/2022/04/msg00011.html Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://lists.debian.org/debian-lts-announce/2023/04/msg00013.html (af854a3a-2127-422b-91ae-364da2661108)
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2V4N22R3QVTYAJMWFK2U2O6QXAZYM35Z/ (af854a3a-2127-422b-91ae-364da2661108)
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QWP6UBFA5T6MOQPY2VDUG5YAJBFPYRFF/ (af854a3a-2127-422b-91ae-364da2661108)
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SWDZONUHDYKBXTAIAGHSYQDEGORD2QT7/ (af854a3a-2127-422b-91ae-364da2661108)
https://support.zabbix.com/browse/ZBX-20680 Issue Tracking, Patch, Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)