Bug 1213338 (CVE-2023-29454)

Summary: VUL-0: CVE-2023-29454: zabbix: Persistent XSS in the user form
Product: [Novell Products] SUSE Security Incidents Reporter: Robert Frohl <rfrohl>
Component: IncidentsAssignee: Boris Manojlovic <boris>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: boris, pgajdos
Version: unspecifiedFlags: pgajdos: needinfo? (boris)
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/372389/
Whiteboard:
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Robert Frohl 2023-07-14 12:55:37 UTC 
CVE-2023-29454

 Stored or persistent cross-site scripting (XSS) is a type of XSS where the
attacker first sends the payload to the web application, then the application
saves the payload (e.g., in a database or server-side text files), and finally,
the application unintentionally executes the payload for every victim visiting
its web pages.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-29454
https://www.cve.org/CVERecord?id=CVE-2023-29454
https://support.zabbix.com/browse/ZBX-22985
Comment 1 Robert Frohl 2023-07-14 12:57:06 UTC 
affects the frontend only, and openSUSE:Factory is on newer version. 

open for openSUSE:Backports:*
Comment 2 Petr Gajdos 2023-07-19 13:54:18 UTC 
I was unable to find the fixing commit sofar.
What would you suggest?
Comment 4 Petr Gajdos 2023-07-20 11:27:35 UTC 
Reassigning to Boris.

@Boris, if I am supposed to help somehow, fx. to send an Backports version update, let me know. Likewise, if you spot an error in my reasoning.
Comment 5 Boris Manojlovic 2023-07-20 20:52:41 UTC 
this one affect backports AND factory, working on packaging for factory and for backports
Comment 6 OBSbugzilla Bot 2023-07-20 22:15:03 UTC 
This is an autogenerated message for OBS integration:
This bug (1213338) was mentioned in
https://build.opensuse.org/request/show/1099801 Backports:SLE-15-SP4+Backports:SLE-15-SP5 / zabbix
https://build.opensuse.org/request/show/1099803 Backports:SLE-15-SP6 / zabbix
Comment 7 Boris Manojlovic 2023-07-21 10:48:48 UTC 
version in factory is correct, backports still in progress
Comment 8 Marcus Meissner 2023-07-25 01:05:42 UTC 
openSUSE-SU-2023:0191-1: An update that fixes one vulnerability is now available.\n\nCategory: security (moderate)\nBug References: 1213338\nCVE References: CVE-2023-29454\nJIRA References: \nSources used:\nopenSUSE Backports SLE-15-SP5 (src):    zabbix-4.0.47-bp155.3.3.1\nopenSUSE Backports SLE-15-SP4 (src):    zabbix-4.0.47-bp154.2.3.1\n\n
Comment 9 Boris Manojlovic 2023-07-25 06:51:28 UTC 
factory and backports are now fixed.
Comment 10 Petr Gajdos 2023-07-25 07:57:36 UTC 
Thanks Boris!