CVE-2022-23133

An authenticated user can create a hosts group from the configuration with XSS payload, which will be available for other users. When XSS is stored by an authenticated malicious actor and other users try to search for groups during new host creation, the XSS payload will fire and the actor can steal session cookies and perform session hijacking to impersonate users or take over their accounts.

Published: Jan 13, 2022
Updated: Apr 14, 2023
CVE: CVE-2022-23133
Severity: Medium
Exploit:

CVSS v3:

Severity: Medium
Score: 5.4
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CVSS v2:

Severity: Low
Score: 3.5
AV:N/AC:M/Au:S/C:N/I:P/A:N

CWEs:

CWE-79

OWASP TOP 10:

A7 - Cross-Site Scripting (XSS)

Affected Software
References

Software	From	Fixed in
zabbix / zabbix	5.4.0	5.4.8.x
zabbix / zabbix	6.0.0-alpha1	6.0.0-alpha1.x
zabbix / zabbix	5.0.0	5.0.18.x
fedoraproject / fedora	34	34.x
fedoraproject / fedora	35	35.x

https://lists.fedoraproject.org/archives/list/[email protected]/message/6SZYHXINBKCY42ITFSNCYE7KCSF33VRA/
https://lists.fedoraproject.org/archives/list/[email protected]/message/VB6W556GVXOKUYTASTDGL3AI7S3SJHX7/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6SZYHXINBKCY42ITFSNCYE7KCSF33VRA/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VB6W556GVXOKUYTASTDGL3AI7S3SJHX7/
https://support.zabbix.com/browse/ZBX-20388

Vulnerability Database

289,697

CVE-2022-23133