First published: Wed Mar 09 2022(Updated: )
An authenticated user can create a link with reflected Javascript code inside it for graphs’ page and send it to other users. The payload can be executed only with a known CSRF token value of the victim, which is changed periodically and is difficult to predict. Malicious code has access to all the same objects as the rest of the web page and can make arbitrary modifications to the contents of the page being displayed to a victim during social engineering attacks.
Credit: security@zabbix.com
Affected Software | Affected Version | How to fix |
---|---|---|
Zabbix Frontend | >=4.0.0<=4.0.38 | |
Zabbix Frontend | >=5.0.0<=5.0.20 | |
Zabbix Frontend | >=5.4.0<=5.4.10 | |
Zabbix Frontend | =6.0.0 | |
Debian Debian Linux | =9.0 | |
Fedoraproject Fedora | =34 | |
Fedoraproject Fedora | =35 | |
Fedoraproject Fedora | =36 |
To remediate this vulnerability, apply the updates
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
The severity of CVE-2022-24919 is medium with a CVSS score of 4.4.
An authenticated user can create a link with reflected JavaScript code and send it to other users, which can be executed with a known CSRF token value of the victim.
Zabbix Frontend versions between 4.0.0 and 4.0.38, 5.0.0 and 5.0.20, 5.4.0 and 5.4.10, and version 6.0.0 are affected by CVE-2022-24919.
Apply the security patches or updates provided by Zabbix to mitigate the CVE-2022-24919 vulnerability in Zabbix Frontend.
The Common Vulnerability Enumeration (CVE) ID of this vulnerability is CVE-2022-24919.