CVE-2022-23133

Published: Jan 13, 2022

Modified: Nov 3, 2025

PUBLISHED

CVSS v3.1

6.3

MEDIUM

Description

An authenticated user can create a hosts group from the configuration with XSS payload, which will be available for other users. When XSS is stored by an authenticated malicious actor and other users try to search for groups during new host creation, the XSS payload will fire and the actor can steal session cookies and perform session hijacking to impersonate users or take over their accounts.

Vendor	Product	Versions
Zabbix	Frontend	affected `5.0.0 – 5.0.18` affected `5.4.0 – 5.4.8` unaffected `5.0.19 - < 5.0.19` unaffected `5.4.9 - < 5.4.9`

Weaknesses (CWE)

CWE-79

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

Low

Availability

Low

References

https://support.zabbix.com/browse/ZBX-20388

x_refsource_MISC

FEDORA-2022-dfe346f53f

vendor-advisory

x_refsource_FEDORA

FEDORA-2022-1a667b0f90

vendor-advisory

x_refsource_FEDORA

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2022-23133

Description

Affected Products

Weaknesses (CWE)

CVSS v3.1 Details

References