First published: Wed Jul 06 2022(Updated: )
An authenticated user can create a link with reflected Javascript code inside it for the graphs page and send it to other users. The payload can be executed only with a known CSRF token value of the victim, which is changed periodically and is difficult to predict.
Credit: security@zabbix.com security@zabbix.com
Affected Software | Affected Version | How to fix |
---|---|---|
Zabbix Zabbix | <5.0.25 | |
Zabbix Zabbix | =5.0.25 | |
Zabbix Zabbix | =5.0.25-rc1 | |
ubuntu/zabbix | <1:3.0.12+dfsg-1ubuntu0.1~ | 1:3.0.12+dfsg-1ubuntu0.1~ |
ubuntu/zabbix | <1:4.0.17+dfsg-1ubuntu0.1~ | 1:4.0.17+dfsg-1ubuntu0.1~ |
ubuntu/zabbix | <1:5.0.17+dfsg-1ubuntu0.1~ | 1:5.0.17+dfsg-1ubuntu0.1~ |
ubuntu/zabbix | <1:2.2.2+dfsg-1ubuntu1+ | 1:2.2.2+dfsg-1ubuntu1+ |
ubuntu/zabbix | <4.0.43<5.0.25<6.0.5<6.2.0 | 4.0.43 5.0.25 6.0.5 6.2.0 |
ubuntu/zabbix | <1:2.4.7+dfsg-2ubuntu2.1+ | 1:2.4.7+dfsg-2ubuntu2.1+ |
debian/zabbix | <=1:5.0.8+dfsg-1 | 1:6.0.14+dfsg-1 1:7.0.3+dfsg-1 |
https://git.zabbix.com/projects/ZBX/repos/zabbix/commits/3b47a97676ee9ca4e16566f1931c456459108eae
https://git.zabbix.com/projects/ZBX/repos/zabbix/commits/b8708dcebc4b4f62ba89d7e7d52fdc034e25d96b
https://git.zabbix.com/projects/ZBX/repos/zabbix/commits/20985a67f64af0ee23a7124503685aecec2ecaf7
To remediate this vulnerability, apply the updates
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2022-35230 is a vulnerability in Zabbix that allows an authenticated user to create a link with reflected Javascript code and send it to other users.
Zabbix versions 5.0.25 and 5.0.25-rc1 are affected by CVE-2022-35230.
An authenticated user can create a link with reflected Javascript code for the graphs page and send it to other users.
CVE-2022-35230 has a severity value of 5.4, which is considered medium.
Yes, a fix for CVE-2022-35230 is available. Please refer to the provided references for more information.