ZabbixCVELIST:CVE-2022-35229CVE-2022-35229 Reflected XSS in discovery page of Zabbix Frontend
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
LOW
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N
AI Score
Confidence
High
EPSS
Percentile
28.8%
An authenticated user can create a link with reflected Javascript code inside it for the discovery page and send it to other users. The payload can be executed only with a known CSRF token value of the victim, which is changed periodically and is difficult to predict.
CNA Affected
[
{
"vendor": "Zabbix",
"product": "Frontend",
"versions": [
{
"version": "4.0.0-4.0.42",
"status": "affected"
},
{
"version": "5.0.0-5.0.24",
"status": "affected"
},
{
"version": "6.0.0-6.0.4",
"status": "affected"
},
{
"version": "6.2alpha1-6.2beta3",
"status": "affected"
}
]
}
]Related
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
LOW
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N
AI Score
Confidence
High
EPSS
Percentile
28.8%