First Last Prev Next    This bug is not in your last search results.
Bug 1196947 - (CVE-2022-24919) VUL-0: CVE-2022-24919: zabbix: Reflected XSS in graph configuration window of Zabbix Frontend
(CVE-2022-24919)
VUL-0: CVE-2022-24919: zabbix: Reflected XSS in graph configuration window of...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/325662/
CVSSv3.1:SUSE:CVE-2022-24919:3.7:(AV:...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2022-03-10 07:56 UTC by Alexander Bergmann
Modified: 2022-04-19 10:21 UTC (History)
6 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Alexander Bergmann 2022-03-10 07:56:26 UTC 
CVE-2022-24919

An authenticated user can create a link with reflected Javascript code inside it
for graphs’ page and send it to other users. The payload can be executed only
with a known CSRF token value of the victim, which is changed periodically and
is difficult to predict.
Malicious code has access to all the same objects as the rest of the web page
and can make arbitrary modifications to the contents of the page being displayed
to a victim during social engineering attacks.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-24919
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24919
https://support.zabbix.com/browse/ZBX-20680
Comment 1 Petr Gajdos 2022-03-17 09:00:54 UTC 
Adding Boris to CC.
Comment 2 Stanislav Brabec 2022-03-17 22:22:52 UTC 
I read the referred upstream page.

It seems that the 9 referred commits are backported as a single commit to the version 4.0.39rc1: 763ff68f0e5, which is nearest to our SLE versions (4.0.12 and 4.0.31).

I took that patch and applied. Submitted:

SUSE:SLE-15-SP2:Update:Products:SES7:Update:
https://build.suse.de/request/show/267815

SUSE:SLE-12-SP3:Update:
https://build.suse.de/request/show/267816


Notes:
Please carefully check. I don't have insight to the package.
The changes file explicitly mentions an unfixed bug that is ignored by the upstream. If this will change before the release, feel free to delete this line.
Comment 3 Michael Vetter 2022-03-22 10:30:56 UTC 
I'm reassigning this to security since SRs from Stanislav were accepted.
Comment 4 Gianluca Gabrielli 2022-03-29 10:54:23 UTC 
done
Comment 5 Swamp Workflow Management 2022-04-19 10:21:19 UTC 
SUSE-SU-2022:1254-1: An update that fixes four vulnerabilities is now available.

Category: security (moderate)
Bug References: 1196944,1196945,1196946,1196947
CVE References: CVE-2022-24349,CVE-2022-24917,CVE-2022-24918,CVE-2022-24919
JIRA References: 
Sources used:
SUSE Linux Enterprise Server 12-SP5 (src):    zabbix-4.0.12-4.15.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
First Last Prev Next    This bug is not in your last search results.