Vulnerability Description
An authenticated user can create a hosts group from the configuration with XSS payload, which will be available for other users. When XSS is stored by an authenticated malicious actor and other users try to search for groups during new host creation, the XSS payload will fire and the actor can steal session cookies and perform session hijacking to impersonate users or take over their accounts.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Zabbix | Zabbix | >= 5.0.0, <= 5.0.18 |
| Fedoraproject | Fedora | 34 |
Related Weaknesses (CWE)
References
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
- https://support.zabbix.com/browse/ZBX-20388Issue TrackingPatchVendor Advisory
- https://lists.debian.org/debian-lts-announce/2024/10/msg00000.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
- https://support.zabbix.com/browse/ZBX-20388Issue TrackingPatchVendor Advisory
FAQ
What is CVE-2022-23133?
CVE-2022-23133 is a vulnerability with a CVSS score of 6.3 (MEDIUM). An authenticated user can create a hosts group from the configuration with XSS payload, which will be available for other users. When XSS is stored by an authenticated malicious actor and other users ...
How severe is CVE-2022-23133?
CVE-2022-23133 has been rated MEDIUM with a CVSS base score of 6.3/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2022-23133?
Check the references section above for vendor advisories and patch information. Affected products include: Zabbix Zabbix, Fedoraproject Fedora.