Bug 1196947 - (CVE-2022-24919) VUL-0: CVE-2022-24919: zabbix: Reflected XSS in graph configuration window of Zabbix Frontend
VUL-0: CVE-2022-24919: zabbix: Reflected XSS in graph configuration window of...
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Security Team bot
Security Team bot
Depends on:
  Show dependency treegraph
Reported: 2022-03-10 07:56 UTC by Alexander Bergmann
Modified: 2022-04-19 10:21 UTC (History)
6 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Alexander Bergmann 2022-03-10 07:56:26 UTC

An authenticated user can create a link with reflected Javascript code inside it
for graphs’ page and send it to other users. The payload can be executed only
with a known CSRF token value of the victim, which is changed periodically and
is difficult to predict.
Malicious code has access to all the same objects as the rest of the web page
and can make arbitrary modifications to the contents of the page being displayed
to a victim during social engineering attacks.

Comment 1 Petr Gajdos 2022-03-17 09:00:54 UTC
Adding Boris to CC.
Comment 2 Stanislav Brabec 2022-03-17 22:22:52 UTC
I read the referred upstream page.

It seems that the 9 referred commits are backported as a single commit to the version 4.0.39rc1: 763ff68f0e5, which is nearest to our SLE versions (4.0.12 and 4.0.31).

I took that patch and applied. Submitted:



Please carefully check. I don't have insight to the package.
The changes file explicitly mentions an unfixed bug that is ignored by the upstream. If this will change before the release, feel free to delete this line.
Comment 3 Michael Vetter 2022-03-22 10:30:56 UTC
I'm reassigning this to security since SRs from Stanislav were accepted.
Comment 4 Gianluca Gabrielli 2022-03-29 10:54:23 UTC
Comment 5 Swamp Workflow Management 2022-04-19 10:21:19 UTC
SUSE-SU-2022:1254-1: An update that fixes four vulnerabilities is now available.

Category: security (moderate)
Bug References: 1196944,1196945,1196946,1196947
CVE References: CVE-2022-24349,CVE-2022-24917,CVE-2022-24918,CVE-2022-24919
JIRA References: 
Sources used:
SUSE Linux Enterprise Server 12-SP5 (src):    zabbix-4.0.12-4.15.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.