CVE-2022-23133

MEDIUM

Zabbix 5.0.0-5.0.17 - Authenticated Stored Cross-Site Scripting via Host Group Configuration

Title source: llm

Description

An authenticated user can create a hosts group from the configuration with XSS payload, which will be available for other users. When XSS is stored by an authenticated malicious actor and other users try to search for groups during new host creation, the XSS payload will fire and the actor can steal session cookies and perform session hijacking to impersonate users or take over their accounts.

References (4)

Core 4

Core References

Issue Tracking, Patch, Vendor Advisory x_refsource_misc

https://support.zabbix.com/browse/ZBX-20388

Mailing List, Third Party Advisory vendor-advisory x_refsource_fedora

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6SZYHXINBKCY42ITFSNCYE7KCSF33VRA/

Mailing List, Third Party Advisory vendor-advisory x_refsource_fedora

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VB6W556GVXOKUYTASTDGL3AI7S3SJHX7/

Mailing List

https://lists.debian.org/debian-lts-announce/2024/10/msg00000.html

Scores

CVSS v3 6.3

EPSS 0.0096

EPSS Percentile 76.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

Details

CWE

CWE-79

Status published

Products (4)

fedoraproject/fedora 34

fedoraproject/fedora 35

zabbix/zabbix 6.0.0 alpha1

zabbix/zabbix 5.0.0 - 5.0.18

Published Jan 13, 2022

Tracked Since Feb 18, 2026