Vulnerability CVE-2022-23133: Information

Description

An authenticated user can create a hosts group from the configuration with XSS payload, which will be available for other users. When XSS is stored by an authenticated malicious actor and other users try to search for groups during new host creation, the XSS payload will fire and the actor can steal session cookies and perform session hijacking to impersonate users or take over their accounts.

Severity: MEDIUM (5.4) Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

URL: https://nvd.nist.gov/vuln/detail/CVE-2022-23133
Published: Jan. 13, 2022
Modified: Nov. 7, 2023
Error type identifier: CWE-79

Fixed packages

Package name
Branch
Fixed in version
Version from repository
Errata ID
Task #
State
zabbixsisyphus5.4.9-alt16.0.29-alt1ALT-PU-2021-3617-1292547Fixed
zabbixsisyphus_e2k5.4.9-alt16.0.29-alt1ALT-PU-2021-4721-1-Fixed
zabbixp106.0.7-alt26.0.29-alt0.p10.1ALT-PU-2022-2499-1305446Fixed
zabbixp10_e2k5.4.9-alt16.0.29-alt0.p10.1ALT-PU-2021-4717-1-Fixed
zabbixc10f16.0.7-alt26.0.27-alt0.c10f1.1ALT-PU-2022-2499-1305446Fixed
zabbixc9f25.0.38-alt15.0.40-alt1ALT-PU-2023-6268-3329847Fixed

References to Advisories, Solutions, and Tools

Hyperlink
Resource
https://support.zabbix.com/browse/ZBX-20388
  • Issue Tracking
  • Patch
  • Vendor Advisory
FEDORA-2022-dfe346f53f
    FEDORA-2022-1a667b0f90

        1. Configuration 1

          cpe:2.3:a:zabbix:zabbix:*:*:*:*:*:*:*:*
          Start including
          5.4.0
          End including
          5.4.8
          cpe:2.3:a:zabbix:zabbix:6.0.0:alpha1:*:*:*:*:*:*
          cpe:2.3:a:zabbix:zabbix:*:*:*:*:*:*:*:*
          Start including
          5.0.0
          End including
          5.0.18

          Configuration 2

          cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*
          cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*
      VKontakte|Telegram|YouTube|Forum|GitHub|Bugzilla
      Version: v24.5.1
      Back to top