First published: Wed Dec 08 2021(Updated: )
An authenticated user can create a hosts group from the configuration with XSS payload, which will be available for other users. When XSS is stored by an authenticated malicious actor and other users try to search for groups during new host creation, the XSS payload will fire and the actor can steal session cookies and perform session hijacking to impersonate users or take over their accounts.
Credit: security@zabbix.com
Affected Software | Affected Version | How to fix |
---|---|---|
Zabbix Zabbix | >=5.0.0<=5.0.18 | |
Zabbix Zabbix | >=5.4.0<=5.4.8 | |
Zabbix Zabbix | =6.0.0-alpha1 | |
Fedoraproject Fedora | =34 | |
Fedoraproject Fedora | =35 |
To remediate this vulnerability, apply the updates.
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2022-23133 is a vulnerability in Zabbix that allows an authenticated user to create a hosts group from the configuration with an XSS payload, which can be used to steal information from other users.
CVE-2022-23133 affects Zabbix versions 5.0.0 to 5.0.18, 5.4.0 to 5.4.8, and 6.0.0-alpha1. It also affects Fedora versions 34 and 35.
CVE-2022-23133 has a severity rating of medium with a score of 5.4.
An authenticated user can exploit CVE-2022-23133 by creating a hosts group with an XSS payload in the configuration and then tricking other users into searching for groups during new host creation.
Yes, fixes for CVE-2022-23133 are available. Please refer to the references for more information.