Vulnerability Description
An authenticated user can create a link with reflected XSS payload for actions’ pages, and send it to other users. Malicious code has access to all the same objects as the rest of the web page and can make arbitrary modifications to the contents of the page being displayed to a victim. This attack can be implemented with the help of social engineering and expiration of a number of factors - an attacker should have authorized access to the Zabbix Frontend and allowed network connection between a malicious server and victim’s computer, understand attacked infrastructure, be recognized by the victim as a trustee and use trusted communication channel.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Zabbix | Frontend | >= 4.0.0, <= 4.0.38 |
| Debian | Debian Linux | 9.0 |
| Fedoraproject | Fedora | 34 |
Related Weaknesses (CWE)
References
- https://lists.debian.org/debian-lts-announce/2022/04/msg00011.htmlThird Party Advisory
- https://lists.debian.org/debian-lts-announce/2023/04/msg00013.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
- https://support.zabbix.com/browse/ZBX-20680Issue TrackingPatchVendor Advisory
- https://lists.debian.org/debian-lts-announce/2022/04/msg00011.htmlThird Party Advisory
- https://lists.debian.org/debian-lts-announce/2023/04/msg00013.html
- https://lists.debian.org/debian-lts-announce/2024/10/msg00000.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
- https://support.zabbix.com/browse/ZBX-20680Issue TrackingPatchVendor Advisory
FAQ
What is CVE-2022-24349?
CVE-2022-24349 is a vulnerability with a CVSS score of 4.6 (MEDIUM). An authenticated user can create a link with reflected XSS payload for actions’ pages, and send it to other users. Malicious code has access to all the same objects as the rest of the web page and can...
How severe is CVE-2022-24349?
CVE-2022-24349 has been rated MEDIUM with a CVSS base score of 4.6/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2022-24349?
Check the references section above for vendor advisories and patch information. Affected products include: Zabbix Frontend, Debian Debian Linux, Fedoraproject Fedora.