CVE-2022-24919 vulnerability in Zabbix and Other Products
Published on March 9, 2022

Reflected XSS in graph configuration window of Zabbix Frontend

An authenticated user can create a link with reflected Javascript code inside it for graphs page and send it to other users. The payload can be executed only with a known CSRF token value of the victim, which is changed periodically and is difficult to predict. Malicious code has access to all the same objects as the rest of the web page and can make arbitrary modifications to the contents of the page being displayed to a victim during social engineering attacks.

Vendor Advisory Vendor Advisory Vendor Advisory NVD

Vulnerability Analysis

CVE-2022-24919 can be exploited with network access, requires user interaction and a small amount of user privileges. This vulnerability is consided to have a high level of attack complexity. The potential impact of an exploit of this vulnerability is considered to have a small impact on confidentiality and integrity, and no impact on availability.

Attack Vector:

NETWORK

Attack Complexity:

HIGH

Privileges Required:

LOW

User Interaction:

REQUIRED

Scope:

UNCHANGED

Confidentiality Impact:

LOW

Integrity Impact:

LOW

Availability Impact:

NONE

Weakness Type

What is a XSS Vulnerability?

The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

CVE-2022-24919 has been classified to as a XSS vulnerability or weakness.

Products Associated with CVE-2022-24919

You can be notified by email with stack.watch whenever vulnerabilities like CVE-2022-24919 are published in these products:

Zabbix Frontend

Debian Linux

Fedora Project Fedora

Affected Versions

Zabbix Frontend:

Version 4.0.0-4.0.38 is affected.
Version 5.0.0-5.0.20 is affected.
Version 5.4.0-5.4.10 is affected.
Version 6.0 is affected.
Version 4.0.39rc1 and below unspecified is unaffected.
Version 5.0.21rc1 and below unspecified is unaffected.
Version 5.4.11rc1 and below unspecified is unaffected.
Version 6.0.1rc1 and below unspecified is unaffected.

Exploit Probability

EPSS

0.37%

Percentile

58.45%

EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.