Strix
26.1K

CVE-2022-24349

MEDIUMCVSS 4.4/10EPSS 0.78%

Last modified

CVE-2022-24349 is a medium-severity vulnerability rated 4.4/10 on the CVSS scale. An authenticated user can create a link with reflected XSS payload for actions’ pages, and send it to other users. Malicious code has access to all the same objects as the rest of the web page and can make arbitrary modifications to the contents of the page being displayed to a victim. EPSS estimates a 0.78% chance of exploitation in the next 30 days.

Description

An authenticated user can create a link with reflected XSS payload for actions’ pages, and send it to other users. Malicious code has access to all the same objects as the rest of the web page and can make arbitrary modifications to the contents of the page being displayed to a victim. This attack can be implemented with the help of social engineering and expiration of a number of factors - an attacker should have authorized access to the Zabbix Frontend and allowed network connection between a malicious server and victim’s computer, understand attacked infrastructure, be recognized by the victim as a trustee and use trusted communication channel.

Metrics

CVSS 3.1
4.4/10

CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N

EPSS Probability
0.78%

51.2th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

Affected Software

VendorProductVersions
ZabbixFrontend>= 4.0.0, <= 4.0.38
ZabbixFrontend>= 5.0.0, <= 5.0.20
ZabbixFrontend>= 5.4.0, <= 5.4.10
ZabbixFrontend6.0.0
DebianDebian Linux9.0
FedoraprojectFedora34
FedoraprojectFedora35

References

Timeline

Published
Last Modified
Status
Modified

Frequently Asked Questions

What is CVE-2022-24349?
An authenticated user can create a link with reflected XSS payload for actions’ pages, and send it to other users. Malicious code has access to all the same objects as the rest of the web page and can make arbitrary modifications to the contents of the page being displayed to a victim. This attack can be implemented with the help of social engineering and expiration of a number of factors - an attacker should have authorized access to the Zabbix Frontend and allowed network connection between a malicious server and victim’s computer, understand attacked infrastructure, be recognized by the victim as a trustee and use trusted communication channel.
How severe is CVE-2022-24349?
CVE-2022-24349 has a CVSS score of 4.4/10 (MEDIUM severity). The EPSS model estimates a 0.78% probability of exploitation in the next 30 days.
How do I fix CVE-2022-24349?
Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2022-24349?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST