CVE-2022-23133
Last modified
CVE-2022-23133 is a medium-severity vulnerability rated 5.4/10 on the CVSS scale. An authenticated user can create a hosts group from the configuration with XSS payload, which will be available for other users. When XSS is stored by an authenticated malicious actor and other users try to search for groups during new host creation, the XSS payload will fire and the actor can steal session cookies and perform session hijacking to impersonate users or take over their accounts.. EPSS estimates a 1.03% chance of exploitation in the next 30 days.
Description
An authenticated user can create a hosts group from the configuration with XSS payload, which will be available for other users. When XSS is stored by an authenticated malicious actor and other users try to search for groups during new host creation, the XSS payload will fire and the actor can steal session cookies and perform session hijacking to impersonate users or take over their accounts.
Metrics
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Weakness Enumeration
Affected Software
| Vendor | Product | Versions | Update |
|---|---|---|---|
| Zabbix | Zabbix | >= 5.0.0, <= 5.0.18 | — |
| Zabbix | Zabbix | >= 5.4.0, <= 5.4.8 | — |
| Zabbix | Zabbix | 6.0.0 | Alpha1 |
| Fedoraproject | Fedora | 34 | — |
| Fedoraproject | Fedora | 35 | — |
References
- https://support.zabbix.com/browse/ZBX-20388Issue Tracking, Patch, Vendor Advisory
- https://support.zabbix.com/browse/ZBX-20388Issue Tracking, Patch, Vendor Advisory
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2022-23133?
How severe is CVE-2022-23133?
How do I fix CVE-2022-23133?
Are you affected by CVE-2022-23133?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST