CVE-2024-45699

MEDIUM

Zabbix < 6.0.37 - XSS

Title source: rule

Description

The endpoint /zabbix.php?action=export.valuemaps suffers from a Cross-Site Scripting vulnerability via the backurl parameter. This is caused by the reflection of user-supplied data without appropriate HTML escaping or output encoding. As a result, a JavaScript payload may be injected into the above endpoint causing it to be executed within the context of the victim's browser.

Exploits (1)

github WORKING POC

by milo2012 · pythonpoc

https://github.com/milo2012/CVE-PoCs/tree/main/assets/CVE-2024-45699.png

View Code ZIP pw:eip

References (2)

[Mailing List] https://lists.debian.org/debian-lts-announce/2025/04/msg00027.html

[Vendor Advisory] https://support.zabbix.com/browse/ZBX-26254

Scores

CVSS v3 5.4

EPSS 0.0021

EPSS Percentile 43.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Details

CWE

CWE-79

Status published

Products (1)

zabbix/zabbix 6.0.0 - 6.0.37

Published Apr 02, 2025

Tracked Since Feb 18, 2026