Bugzilla – Bug 1213338
VUL-0: CVE-2023-29454: zabbix: Persistent XSS in the user form
Last modified: 2023-07-25 07:57:36 UTC
CVE-2023-29454 Stored or persistent cross-site scripting (XSS) is a type of XSS where the attacker first sends the payload to the web application, then the application saves the payload (e.g., in a database or server-side text files), and finally, the application unintentionally executes the payload for every victim visiting its web pages. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-29454 https://www.cve.org/CVERecord?id=CVE-2023-29454 https://support.zabbix.com/browse/ZBX-22985
affects the frontend only, and openSUSE:Factory is on newer version. open for openSUSE:Backports:*
I was unable to find the fixing commit sofar. What would you suggest?
Reassigning to Boris. @Boris, if I am supposed to help somehow, fx. to send an Backports version update, let me know. Likewise, if you spot an error in my reasoning.
this one affect backports AND factory, working on packaging for factory and for backports
This is an autogenerated message for OBS integration: This bug (1213338) was mentioned in https://build.opensuse.org/request/show/1099801 Backports:SLE-15-SP4+Backports:SLE-15-SP5 / zabbix https://build.opensuse.org/request/show/1099803 Backports:SLE-15-SP6 / zabbix
version in factory is correct, backports still in progress
openSUSE-SU-2023:0191-1: An update that fixes one vulnerability is now available.\n\nCategory: security (moderate)\nBug References: 1213338\nCVE References: CVE-2023-29454\nJIRA References: \nSources used:\nopenSUSE Backports SLE-15-SP5 (src): zabbix-4.0.47-bp155.3.3.1\nopenSUSE Backports SLE-15-SP4 (src): zabbix-4.0.47-bp154.2.3.1\n\n
factory and backports are now fixed.
Thanks Boris!