Bugzilla – Bug 1219775
VUL-0: CVE-2024-22119: zabbix: stored XSS in graph items select form
Last modified: 2024-05-29 11:16:03 UTC
The cause of vulnerability is improper validation of form input field “Name” on Graph page in Items section. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-22119 https://www.cve.org/CVERecord?id=CVE-2024-22119 https://support.zabbix.com/browse/ZBX-24070 Patch: https://git.zabbix.com/projects/ZBX/repos/zabbix/commits/62a62b1b7f07a4a7cf249bef05968bb0eef1cfb2
Tracking as affected: - SUSE:SLE-12-SP3:Update/zabbix 4.0.12 - openSUSE:Backports:SLE-15-SP5/zabbix 4.0.37
This is an autogenerated message for OBS integration: This bug (1219775) was mentioned in https://build.opensuse.org/request/show/1146781 Backports:SLE-15-SP5 / zabbix
openSUSE-SU-2024:0064-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 1219775 CVE References: CVE-2024-22119 JIRA References: Sources used: openSUSE Backports SLE-15-SP5 (src): zabbix-4.0.50-bp155.3.12.1
Requests were accepted, reassigning to security-team. Thanks Valentin!
SUSE-SU-2024:0862-1: An update that solves one vulnerability can now be installed. Category: security (moderate) Bug References: 1219775 CVE References: CVE-2024-22119 Sources used: SUSE Linux Enterprise High Performance Computing 12 SP5 (src): zabbix-4.0.12-4.27.1 SUSE Linux Enterprise Server 12 SP5 (src): zabbix-4.0.12-4.27.1 SUSE Linux Enterprise Server for SAP Applications 12 SP5 (src): zabbix-4.0.12-4.27.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Missing in Leap 15.6. Please process incoming submission or fix in Leap 15.6 in your chosen way. (bug 1225537)
As per bug 1225537 now also fixed in Leap 15.6, closing