Vulnerability Details : CVE-2022-23133
An authenticated user can create a hosts group from the configuration with XSS payload, which will be available for other users. When XSS is stored by an authenticated malicious actor and other users try to search for groups during new host creation, the XSS payload will fire and the actor can steal session cookies and perform session hijacking to impersonate users or take over their accounts.
Vulnerability category: Cross site scripting (XSS)
Products affected by CVE-2022-23133
- cpe:2.3:a:zabbix:zabbix:*:*:*:*:*:*:*:*
- cpe:2.3:a:zabbix:zabbix:*:*:*:*:*:*:*:*
- cpe:2.3:a:zabbix:zabbix:6.0.0:alpha1:*:*:*:*:*:*
- cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*
- cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2022-23133
0.07%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 27 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2022-23133
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
3.5
|
LOW | AV:N/AC:M/Au:S/C:N/I:P/A:N |
6.8
|
2.9
|
NIST | |
5.4
|
MEDIUM | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N |
2.3
|
2.7
|
NIST | |
6.3
|
MEDIUM | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L |
2.8
|
3.4
|
Zabbix |
CWE ids for CVE-2022-23133
-
The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.Assigned by:
- nvd@nist.gov (Primary)
- security@zabbix.com (Secondary)
References for CVE-2022-23133
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6SZYHXINBKCY42ITFSNCYE7KCSF33VRA/
[SECURITY] Fedora 34 Update: zabbix-5.0.19-1.fc34 - package-announce - Fedora Mailing-ListsMailing List;Third Party Advisory
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VB6W556GVXOKUYTASTDGL3AI7S3SJHX7/
[SECURITY] Fedora 35 Update: zabbix-5.0.19-1.fc35 - package-announce - Fedora Mailing-ListsMailing List;Third Party Advisory
-
https://support.zabbix.com/browse/ZBX-20388
[ZBX-20388] Stored XSS in host groups configuration window in Zabbix Frontend (CVE-2022-23133) - ZABBIX SUPPORTIssue Tracking;Patch;Vendor Advisory
Jump to