Bugzilla – Bug 1196947
VUL-0: CVE-2022-24919: zabbix: Reflected XSS in graph configuration window of Zabbix Frontend
Last modified: 2022-04-19 10:21:19 UTC
for graphsâ€™ page and send it to other users. The payload can be executed only
with a known CSRF token value of the victim, which is changed periodically and
is difficult to predict.
Malicious code has access to all the same objects as the rest of the web page
and can make arbitrary modifications to the contents of the page being displayed
to a victim during social engineering attacks.
Adding Boris to CC.
I read the referred upstream page.
It seems that the 9 referred commits are backported as a single commit to the version 4.0.39rc1: 763ff68f0e5, which is nearest to our SLE versions (4.0.12 and 4.0.31).
I took that patch and applied. Submitted:
Please carefully check. I don't have insight to the package.
The changes file explicitly mentions an unfixed bug that is ignored by the upstream. If this will change before the release, feel free to delete this line.
I'm reassigning this to security since SRs from Stanislav were accepted.
SUSE-SU-2022:1254-1: An update that fixes four vulnerabilities is now available.
Category: security (moderate)
Bug References: 1196944,1196945,1196946,1196947
CVE References: CVE-2022-24349,CVE-2022-24917,CVE-2022-24918,CVE-2022-24919
SUSE Linux Enterprise Server 12-SP5 (src): zabbix-4.0.12-4.15.2
NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.