First published: Wed Jul 06 2022(Updated: )
An authenticated user can create a link with reflected Javascript code inside it for the discovery page and send it to other users. The payload can be executed only with a known CSRF token value of the victim, which is changed periodically and is difficult to predict.
Credit: security@zabbix.com security@zabbix.com security@zabbix.com
Affected Software | Affected Version | How to fix |
---|---|---|
Zabbix Zabbix | <4.0.0 | |
Zabbix Zabbix | >=5.0.0<5.0.25 | |
Zabbix Zabbix | >=6.0.0<=6.0.4 | |
Zabbix Zabbix | =5.0.25 | |
ubuntu/zabbix | <1:3.0.12+dfsg-1ubuntu0.1~ | 1:3.0.12+dfsg-1ubuntu0.1~ |
ubuntu/zabbix | <1:4.0.17+dfsg-1ubuntu0.1~ | 1:4.0.17+dfsg-1ubuntu0.1~ |
ubuntu/zabbix | <1:5.0.17+dfsg-1ubuntu0.1~ | 1:5.0.17+dfsg-1ubuntu0.1~ |
ubuntu/zabbix | <1:2.2.2+dfsg-1ubuntu1+ | 1:2.2.2+dfsg-1ubuntu1+ |
ubuntu/zabbix | <4.0.43<5.0.25<6.0.5<6.2.0 | 4.0.43 5.0.25 6.0.5 6.2.0 |
ubuntu/zabbix | <1:2.4.7+dfsg-2ubuntu2.1+ | 1:2.4.7+dfsg-2ubuntu2.1+ |
debian/zabbix | <=1:5.0.8+dfsg-1 | 1:6.0.14+dfsg-1 1:7.0.3+dfsg-1 |
https://git.zabbix.com/projects/ZBX/repos/zabbix/commits/b546c3f10ce98b0c914e5fc4114bd43042880c3c
https://git.zabbix.com/projects/ZBX/repos/zabbix/commits/c973e97e9ae5857227712bce30f25f69888615ef
https://git.zabbix.com/projects/ZBX/repos/zabbix/commits/905f394a6e98c517e69ead63aa955c0dafe08861
To remediate this vulnerability, apply the updates
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2022-35229 is a vulnerability that allows an authenticated user to create a link with reflected Javascript code for the discovery page and send it to other users.
An attacker can exploit CVE-2022-35229 by creating a malicious link with reflected Javascript code and tricking other users into clicking on it.
CVE-2022-35229 has a severity rating of medium with a CVSS score of 5.4.
Zabbix versions 4.0.0 up to exclusive, 5.0.0 up to inclusive (up to version 5.0.25), and 6.0.0 up to inclusive (up to version 6.0.4) are affected by CVE-2022-35229.
Yes, fixes for CVE-2022-35229 are available. Please refer to the provided references for more information.