Bug 1174253 - (CVE-2020-15803) VUL-0: CVE-2020-15803: zabbix: stored XSS in the URL Widget
(CVE-2020-15803)
VUL-0: CVE-2020-15803: zabbix: stored XSS in the URL Widget
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/263917/
CVSSv3.1:SUSE:CVE-2020-15803:6.3:(AV:...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2020-07-17 15:08 UTC by Alexandros Toptsoglou
Modified: 2022-02-16 14:19 UTC (History)
4 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Alexandros Toptsoglou 2020-07-17 15:08:07 UTC
CVE-2020-15803

Zabbix before 3.0.32rc1, 4.x before 4.0.22rc1, 4.1.x through 4.4.x before 4.4.10rc1, and 5.x before 5.0.2rc1 allows stored XSS in the URL Widget.

References:
https://support.zabbix.com/browse/ZBX-18057

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1858258
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-15803
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15803
https://support.zabbix.com/browse/ZBX-18057
Comment 2 Alexandros Toptsoglou 2020-07-17 15:10:46 UTC
SLE12-SP3 both LEAP 15.1 and 15.2 and Factory tracked as affected
Comment 3 Boris Manojlovic 2020-07-18 21:58:40 UTC
Updated packages for 
openSUSE_Leap 15.1 and 15.2
and for Backports_SLE-15-SP1 Backports_SLE-15-SP2
Comment 5 Robert Frohl 2020-07-22 11:57:34 UTC
(In reply to Boris Manojlovic from comment #3)
> Updated packages for 
> openSUSE_Leap 15.1 and 15.2
> and for Backports_SLE-15-SP1 Backports_SLE-15-SP2

Sorry, but I had to decline the submission. We require boo# references for CVEs (and normal bugs) for submission.

Could you re-submit with the boo# reference added to the changes file. Just mention boo#1174253 somewhere in the changes entry and that would be sufficient.
Comment 6 Boris Manojlovic 2020-07-22 12:25:23 UTC
added reference to this bug report
Comment 7 OBSbugzilla Bot 2020-07-22 13:00:06 UTC
This is an autogenerated message for OBS integration:
This bug (1174253) was mentioned in
https://build.opensuse.org/request/show/822230 15.1+15.2+Backports:SLE-15-SP1+Backports:SLE-15-SP2 / zabbix
Comment 8 Swamp Workflow Management 2020-08-17 16:14:26 UTC
SUSE-SU-2020:2251-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1174253
CVE References: CVE-2020-15803
JIRA References: 
Sources used:
SUSE Linux Enterprise Server 12-SP5 (src):    zabbix-4.0.12-4.7.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 9 Swamp Workflow Management 2020-10-04 10:14:17 UTC
openSUSE-SU-2020:1604-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 1174253
CVE References: CVE-2020-11800,CVE-2020-15803
JIRA References: 
Sources used:
openSUSE Leap 15.2 (src):    zabbix-3.0.31-lp152.2.3.1
openSUSE Leap 15.1 (src):    zabbix-3.0.31-lp151.2.6.1
openSUSE Backports SLE-15-SP2 (src):    zabbix-3.0.31-bp152.2.3.1
openSUSE Backports SLE-15-SP1 (src):    zabbix-3.0.31-bp151.4.6.1
Comment 10 Wolfgang Frisch 2020-10-15 11:36:26 UTC
Released.
Comment 11 Swamp Workflow Management 2022-02-16 14:19:41 UTC
openSUSE-SU-2022:0036-1: An update that solves three vulnerabilities and has two fixes is now available.

Category: security (moderate)
Bug References: 1144018,1174253,1181400,1183014,1194681
CVE References: CVE-2020-15803,CVE-2021-27927,CVE-2022-23134
JIRA References: 
Sources used:
openSUSE Leap 15.3 (src):    zabbix-4.0.37-lp153.2.3.1