Bugzilla – Bug 1194682
VUL-0: CVE-2022-23133: zabbix: Stored XSS in host groups configuration window in Zabbix Frontend
Last modified: 2022-01-14 12:52:47 UTC
CVE-2022-23133 An authenticated user can create a hosts group from the configuration with XSS payload, which will be available for other users. When XSS is stored by an authenticated malicious actor and other users try to search for groups during new host creation, the XSS payload will fire and the actor can steal session cookies and perform session hijacking to impersonate users or take over their accounts. Upstream commits: 5.0.19rc1 https://git.zabbix.com/projects/ZBX/repos/zabbix/commits/74b8716a73c324e6cdbdda1de434e7872740a908 5.4.9rc1 https://git.zabbix.com/projects/ZBX/repos/zabbix/commits/e53cf2268429eb19f1b803300985d4b37484d8c1 6.0.0alpha8 (master) https://git.zabbix.com/projects/ZBX/repos/zabbix/commits/da98ddaaacdd709651a1c0a123039476438a53ff References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-23133 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23133 https://support.zabbix.com/browse/ZBX-20388
The code introducing the XSS is not present in versions 4.x and smaller. I think we are not affected. Closing.