Bug 1201292 - (CVE-2022-35229) VUL-0: CVE-2022-35229: zabbix: Javascript embedded in links for discovery page will be executed
(CVE-2022-35229)
VUL-0: CVE-2022-35229: zabbix: Javascript embedded in links for discovery pag...
Status: RESOLVED INVALID
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P5 - None : Normal
: ---
Assigned To: package coldpool
Security Team bot
https://smash.suse.de/issue/336386/
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2022-07-07 15:18 UTC by Hu
Modified: 2022-07-07 15:48 UTC (History)
1 user (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Hu 2022-07-07 15:18:30 UTC
CVE-2022-35229

An authenticated user can create a link with reflected Javascript code inside it for the discovery page and send it to other users. The payload can be executed only with a known CSRF token value of the victim, which is changed periodically and is difficult to predict.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-35229
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35229
http://www.cvedetails.com/cve/CVE-2022-35229/
https://support.zabbix.com/browse/ZBX-21306
Comment 1 Hu 2022-07-07 15:48:23 UTC
Closing, not affected:
- SUSE:SLE-12-SP3:Update/zabbix         4.0.12
- openSUSE:Backports:SLE-15-SP3/zabbix  3.0.31
- openSUSE:Backports:SLE-15-SP4/zabbix  4.0.37
- openSUSE:Factory/zabbix               4.0.39