CVE-2022-35229

Reflected XSS in discovery page of Zabbix Frontend

CVSS 3.7 LOWEPSS 0.6%CWE-79

Vexday Risk Score

8Low

SSVC decision (CISA)

Track

No exploitation signal → monitor

CVSS 3.7EPSS 0.6%KEV nãoPoC —Patch —

Lifecycle

06 Jul 2022Published on NVD

Recommendation: Monitor — no exploitation signal at the moment.

An authenticated user can create a link with reflected Javascript code inside it for the discovery page and send it to other users. The payload can be executed only with a known CSRF token value of the victim, which is changed periodically and is difficult to predict.

CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N

Affected products

Zabbix · Frontend

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://lists.debian.org/debian-lts-announce/2023/04/msg00013.html https://lists.debian.org/debian-lts-announce/2023/08/msg00027.html https://lists.debian.org/debian-lts-announce/2024/10/msg00000.html https://support.zabbix.com/browse/ZBX-21306