CVE-2022-24917
LOWZabbix Frontend 4.0.0-4.0.37 - Authenticated Reflected Cross-Site Scripting via Service Page Link
Title source: llmDescription
An authenticated user can create a link with reflected Javascript code inside it for services’ page and send it to other users. The payload can be executed only with a known CSRF token value of the victim, which is changed periodically and is difficult to predict. Malicious code has access to all the same objects as the rest of the web page and can make arbitrary modifications to the contents of the page being displayed to a victim during social engineering attacks.
References (7)
Core 7
Core References
Mailing List, Third Party Advisory vendor-advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2V4N22R3QVTYAJMWFK2U2O6QXAZYM35Z/
Mailing List, Third Party Advisory vendor-advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SWDZONUHDYKBXTAIAGHSYQDEGORD2QT7/
Mailing List, Third Party Advisory vendor-advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QWP6UBFA5T6MOQPY2VDUG5YAJBFPYRFF/
Third Party Advisory mailing-list
https://lists.debian.org/debian-lts-announce/2022/04/msg00011.html
Mailing List mailing-list
https://lists.debian.org/debian-lts-announce/2023/04/msg00013.html
Issue Tracking, Patch, Vendor Advisory
https://support.zabbix.com/browse/ZBX-20680
Scores
CVSS v3
3.7
EPSS
0.0088
EPSS Percentile
75.6%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N
Details
CWE
CWE-79
Status
published
Products (6)
debian/debian_linux
9.0
fedoraproject/fedora
34
fedoraproject/fedora
35
fedoraproject/fedora
36
zabbix/frontend
6.0.0
zabbix/frontend
4.0.0 - 4.0.38
Published
Mar 09, 2022
Tracked Since
Feb 18, 2026