CVE-2022-35229
Published: 6 July 2022
An authenticated user can create a link with reflected Javascript code inside it for the discovery page and send it to other users. The payload can be executed only with a known CSRF token value of the victim, which is changed periodically and is difficult to predict.
Priority
Status
Package | Release | Status |
---|---|---|
zabbix Launchpad, Ubuntu, Debian |
bionic |
Needed
|
focal |
Needed
|
|
impish |
Ignored
(end of life)
|
|
jammy |
Needed
|
|
kinetic |
Ignored
(end of life, was needs-triage)
|
|
lunar |
Ignored
(end of life, was needs-triage)
|
|
mantic |
Not vulnerable
(6.0.5rc1)
|
|
trusty |
Needed
|
|
upstream |
Released
(4.0.43rc1, 5.0.25rc1, 6.0.5rc1, 6.2.0rc1)
|
|
xenial |
Needed
|
|
Patches: upstream: https://git.zabbix.com/projects/ZBX/repos/zabbix/commits/b546c3f10ce98b0c914e5fc4114bd43042880c3c upstream: https://git.zabbix.com/projects/ZBX/repos/zabbix/commits/c973e97e9ae5857227712bce30f25f69888615ef upstream: https://git.zabbix.com/projects/ZBX/repos/zabbix/commits/905f394a6e98c517e69ead63aa955c0dafe08861 |
Severity score breakdown
Parameter | Value |
---|---|
Base score | 5.4 |
Attack vector | Network |
Attack complexity | Low |
Privileges required | Low |
User interaction | Required |
Scope | Changed |
Confidentiality | Low |
Integrity impact | Low |
Availability impact | None |
Vector | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N |