First published: Wed Mar 09 2022(Updated: )
An authenticated user can create a link with reflected Javascript code inside it for items’ page and send it to other users. The payload can be executed only with a known CSRF token value of the victim, which is changed periodically and is difficult to predict. Malicious code has access to all the same objects as the rest of the web page and can make arbitrary modifications to the contents of the page being displayed to a victim during social engineering attacks.
Credit: security@zabbix.com
Affected Software | Affected Version | How to fix |
---|---|---|
Zabbix Frontend | >=5.0.0<=5.0.20 | |
Zabbix Frontend | >=5.4.0<=5.4.10 | |
Zabbix Frontend | =6.0.0 | |
Fedoraproject Fedora | =34 | |
Fedoraproject Fedora | =35 | |
Fedoraproject Fedora | =36 |
To remediate this vulnerability, apply the updates
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
The vulnerability ID for this issue is CVE-2022-24918.
The severity of CVE-2022-24918 is medium with a CVSS score of 4.4.
Zabbix Frontend versions 5.0.0 to 5.0.20, 5.4.0 to 5.4.10, and 6.0.0, as well as Fedora versions 34, 35, and 36, are affected by CVE-2022-24918.
The CWE ID for CVE-2022-24918 is CWE-352 and CWE-79.
To mitigate CVE-2022-24918, it is recommended to update Zabbix Frontend to a patched version and follow any instructions provided by the software vendor or distribution regarding the vulnerability.