csaf_suse - suse-su-2022:1254-1

suse-su-2022:1254-1

Vulnerability from csaf_suse

Published

2022-04-19 07:12

Modified

2022-04-19 07:12

Summary

Security update for zabbix

Notes

Title of the patch

Security update for zabbix

Description of the patch

This update for zabbix fixes the following issues: - CVE-2022-24349: Fixed a reflected XSS in the action configuration window (bsc#1196944). - CVE-2022-24917: Fixed a reflected XSS in the service configuration window (bsc#1196945). - CVE-2022-24918: Fixed a reflected XSS in the item configuration window (bsc#1196946). - CVE-2022-24919: Fixed a reflected XSS in the graph configuration window (bsc#1196947).

Patchnames

SUSE-2022-1254,SUSE-SLE-SERVER-12-SP5-2022-1254

CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://www.suse.com/support/security/rating/",
      "text": "moderate"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright 2024 SUSE LLC. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "Security update for zabbix",
        "title": "Title of the patch"
      },
      {
        "category": "description",
        "text": "This update for zabbix fixes the following issues:\n\n- CVE-2022-24349: Fixed a reflected XSS in the action configuration window (bsc#1196944).\n- CVE-2022-24917: Fixed a reflected XSS in the service configuration window (bsc#1196945).\n- CVE-2022-24918: Fixed a reflected XSS in the item configuration window (bsc#1196946).\n- CVE-2022-24919: Fixed a reflected XSS in the graph configuration window (bsc#1196947).\n",
        "title": "Description of the patch"
      },
      {
        "category": "details",
        "text": "SUSE-2022-1254,SUSE-SLE-SERVER-12-SP5-2022-1254",
        "title": "Patchnames"
      },
      {
        "category": "legal_disclaimer",
        "text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
        "title": "Terms of use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://www.suse.com/support/security/contact/",
      "name": "SUSE Product Security Team",
      "namespace": "https://www.suse.com/"
    },
    "references": [
      {
        "category": "external",
        "summary": "SUSE ratings",
        "url": "https://www.suse.com/support/security/rating/"
      },
      {
        "category": "self",
        "summary": "URL of this CSAF notice",
        "url": "https://ftp.suse.com/pub/projects/security/csaf/suse-su-2022_1254-1.json"
      },
      {
        "category": "self",
        "summary": "URL for SUSE-SU-2022:1254-1",
        "url": "https://www.suse.com/support/update/announcement/2022/suse-su-20221254-1/"
      },
      {
        "category": "self",
        "summary": "E-Mail link for SUSE-SU-2022:1254-1",
        "url": "https://lists.suse.com/pipermail/sle-security-updates/2022-April/010744.html"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1196944",
        "url": "https://bugzilla.suse.com/1196944"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1196945",
        "url": "https://bugzilla.suse.com/1196945"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1196946",
        "url": "https://bugzilla.suse.com/1196946"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1196947",
        "url": "https://bugzilla.suse.com/1196947"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2022-24349 page",
        "url": "https://www.suse.com/security/cve/CVE-2022-24349/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2022-24917 page",
        "url": "https://www.suse.com/security/cve/CVE-2022-24917/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2022-24918 page",
        "url": "https://www.suse.com/security/cve/CVE-2022-24918/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2022-24919 page",
        "url": "https://www.suse.com/security/cve/CVE-2022-24919/"
      }
    ],
    "title": "Security update for zabbix",
    "tracking": {
      "current_release_date": "2022-04-19T07:12:53Z",
      "generator": {
        "date": "2022-04-19T07:12:53Z",
        "engine": {
          "name": "cve-database.git:bin/generate-csaf.pl",
          "version": "1"
        }
      },
      "id": "SUSE-SU-2022:1254-1",
      "initial_release_date": "2022-04-19T07:12:53Z",
      "revision_history": [
        {
          "date": "2022-04-19T07:12:53Z",
          "number": "1",
          "summary": "Current version"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "zabbix-agent-4.0.12-4.15.2.aarch64",
                "product": {
                  "name": "zabbix-agent-4.0.12-4.15.2.aarch64",
                  "product_id": "zabbix-agent-4.0.12-4.15.2.aarch64"
                }
              },
              {
                "category": "product_version",
                "name": "zabbix-java-gateway-4.0.12-4.15.2.aarch64",
                "product": {
                  "name": "zabbix-java-gateway-4.0.12-4.15.2.aarch64",
                  "product_id": "zabbix-java-gateway-4.0.12-4.15.2.aarch64"
                }
              },
              {
                "category": "product_version",
                "name": "zabbix-phpfrontend-4.0.12-4.15.2.aarch64",
                "product": {
                  "name": "zabbix-phpfrontend-4.0.12-4.15.2.aarch64",
                  "product_id": "zabbix-phpfrontend-4.0.12-4.15.2.aarch64"
                }
              },
              {
                "category": "product_version",
                "name": "zabbix-proxy-4.0.12-4.15.2.aarch64",
                "product": {
                  "name": "zabbix-proxy-4.0.12-4.15.2.aarch64",
                  "product_id": "zabbix-proxy-4.0.12-4.15.2.aarch64"
                }
              },
              {
                "category": "product_version",
                "name": "zabbix-proxy-mysql-4.0.12-4.15.2.aarch64",
                "product": {
                  "name": "zabbix-proxy-mysql-4.0.12-4.15.2.aarch64",
                  "product_id": "zabbix-proxy-mysql-4.0.12-4.15.2.aarch64"
                }
              },
              {
                "category": "product_version",
                "name": "zabbix-proxy-postgresql-4.0.12-4.15.2.aarch64",
                "product": {
                  "name": "zabbix-proxy-postgresql-4.0.12-4.15.2.aarch64",
                  "product_id": "zabbix-proxy-postgresql-4.0.12-4.15.2.aarch64"
                }
              },
              {
                "category": "product_version",
                "name": "zabbix-proxy-sqlite-4.0.12-4.15.2.aarch64",
                "product": {
                  "name": "zabbix-proxy-sqlite-4.0.12-4.15.2.aarch64",
                  "product_id": "zabbix-proxy-sqlite-4.0.12-4.15.2.aarch64"
                }
              },
              {
                "category": "product_version",
                "name": "zabbix-server-4.0.12-4.15.2.aarch64",
                "product": {
                  "name": "zabbix-server-4.0.12-4.15.2.aarch64",
                  "product_id": "zabbix-server-4.0.12-4.15.2.aarch64"
                }
              },
              {
                "category": "product_version",
                "name": "zabbix-server-mysql-4.0.12-4.15.2.aarch64",
                "product": {
                  "name": "zabbix-server-mysql-4.0.12-4.15.2.aarch64",
                  "product_id": "zabbix-server-mysql-4.0.12-4.15.2.aarch64"
                }
              },
              {
                "category": "product_version",
                "name": "zabbix-server-postgresql-4.0.12-4.15.2.aarch64",
                "product": {
                  "name": "zabbix-server-postgresql-4.0.12-4.15.2.aarch64",
                  "product_id": "zabbix-server-postgresql-4.0.12-4.15.2.aarch64"
                }
              }
            ],
            "category": "architecture",
            "name": "aarch64"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "zabbix-agent-4.0.12-4.15.2.i586",
                "product": {
                  "name": "zabbix-agent-4.0.12-4.15.2.i586",
                  "product_id": "zabbix-agent-4.0.12-4.15.2.i586"
                }
              },
              {
                "category": "product_version",
                "name": "zabbix-java-gateway-4.0.12-4.15.2.i586",
                "product": {
                  "name": "zabbix-java-gateway-4.0.12-4.15.2.i586",
                  "product_id": "zabbix-java-gateway-4.0.12-4.15.2.i586"
                }
              },
              {
                "category": "product_version",
                "name": "zabbix-phpfrontend-4.0.12-4.15.2.i586",
                "product": {
                  "name": "zabbix-phpfrontend-4.0.12-4.15.2.i586",
                  "product_id": "zabbix-phpfrontend-4.0.12-4.15.2.i586"
                }
              },
              {
                "category": "product_version",
                "name": "zabbix-proxy-4.0.12-4.15.2.i586",
                "product": {
                  "name": "zabbix-proxy-4.0.12-4.15.2.i586",
                  "product_id": "zabbix-proxy-4.0.12-4.15.2.i586"
                }
              },
              {
                "category": "product_version",
                "name": "zabbix-proxy-mysql-4.0.12-4.15.2.i586",
                "product": {
                  "name": "zabbix-proxy-mysql-4.0.12-4.15.2.i586",
                  "product_id": "zabbix-proxy-mysql-4.0.12-4.15.2.i586"
                }
              },
              {
                "category": "product_version",
                "name": "zabbix-proxy-postgresql-4.0.12-4.15.2.i586",
                "product": {
                  "name": "zabbix-proxy-postgresql-4.0.12-4.15.2.i586",
                  "product_id": "zabbix-proxy-postgresql-4.0.12-4.15.2.i586"
                }
              },
              {
                "category": "product_version",
                "name": "zabbix-proxy-sqlite-4.0.12-4.15.2.i586",
                "product": {
                  "name": "zabbix-proxy-sqlite-4.0.12-4.15.2.i586",
                  "product_id": "zabbix-proxy-sqlite-4.0.12-4.15.2.i586"
                }
              },
              {
                "category": "product_version",
                "name": "zabbix-server-4.0.12-4.15.2.i586",
                "product": {
                  "name": "zabbix-server-4.0.12-4.15.2.i586",
                  "product_id": "zabbix-server-4.0.12-4.15.2.i586"
                }
              },
              {
                "category": "product_version",
                "name": "zabbix-server-mysql-4.0.12-4.15.2.i586",
                "product": {
                  "name": "zabbix-server-mysql-4.0.12-4.15.2.i586",
                  "product_id": "zabbix-server-mysql-4.0.12-4.15.2.i586"
                }
              },
              {
                "category": "product_version",
                "name": "zabbix-server-postgresql-4.0.12-4.15.2.i586",
                "product": {
                  "name": "zabbix-server-postgresql-4.0.12-4.15.2.i586",
                  "product_id": "zabbix-server-postgresql-4.0.12-4.15.2.i586"
                }
              }
            ],
            "category": "architecture",
            "name": "i586"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "zabbix-agent-4.0.12-4.15.2.ppc64le",
                "product": {
                  "name": "zabbix-agent-4.0.12-4.15.2.ppc64le",
                  "product_id": "zabbix-agent-4.0.12-4.15.2.ppc64le"
                }
              },
              {
                "category": "product_version",
                "name": "zabbix-java-gateway-4.0.12-4.15.2.ppc64le",
                "product": {
                  "name": "zabbix-java-gateway-4.0.12-4.15.2.ppc64le",
                  "product_id": "zabbix-java-gateway-4.0.12-4.15.2.ppc64le"
                }
              },
              {
                "category": "product_version",
                "name": "zabbix-phpfrontend-4.0.12-4.15.2.ppc64le",
                "product": {
                  "name": "zabbix-phpfrontend-4.0.12-4.15.2.ppc64le",
                  "product_id": "zabbix-phpfrontend-4.0.12-4.15.2.ppc64le"
                }
              },
              {
                "category": "product_version",
                "name": "zabbix-proxy-4.0.12-4.15.2.ppc64le",
                "product": {
                  "name": "zabbix-proxy-4.0.12-4.15.2.ppc64le",
                  "product_id": "zabbix-proxy-4.0.12-4.15.2.ppc64le"
                }
              },
              {
                "category": "product_version",
                "name": "zabbix-proxy-mysql-4.0.12-4.15.2.ppc64le",
                "product": {
                  "name": "zabbix-proxy-mysql-4.0.12-4.15.2.ppc64le",
                  "product_id": "zabbix-proxy-mysql-4.0.12-4.15.2.ppc64le"
                }
              },
              {
                "category": "product_version",
                "name": "zabbix-proxy-postgresql-4.0.12-4.15.2.ppc64le",
                "product": {
                  "name": "zabbix-proxy-postgresql-4.0.12-4.15.2.ppc64le",
                  "product_id": "zabbix-proxy-postgresql-4.0.12-4.15.2.ppc64le"
                }
              },
              {
                "category": "product_version",
                "name": "zabbix-proxy-sqlite-4.0.12-4.15.2.ppc64le",
                "product": {
                  "name": "zabbix-proxy-sqlite-4.0.12-4.15.2.ppc64le",
                  "product_id": "zabbix-proxy-sqlite-4.0.12-4.15.2.ppc64le"
                }
              },
              {
                "category": "product_version",
                "name": "zabbix-server-4.0.12-4.15.2.ppc64le",
                "product": {
                  "name": "zabbix-server-4.0.12-4.15.2.ppc64le",
                  "product_id": "zabbix-server-4.0.12-4.15.2.ppc64le"
                }
              },
              {
                "category": "product_version",
                "name": "zabbix-server-mysql-4.0.12-4.15.2.ppc64le",
                "product": {
                  "name": "zabbix-server-mysql-4.0.12-4.15.2.ppc64le",
                  "product_id": "zabbix-server-mysql-4.0.12-4.15.2.ppc64le"
                }
              },
              {
                "category": "product_version",
                "name": "zabbix-server-postgresql-4.0.12-4.15.2.ppc64le",
                "product": {
                  "name": "zabbix-server-postgresql-4.0.12-4.15.2.ppc64le",
                  "product_id": "zabbix-server-postgresql-4.0.12-4.15.2.ppc64le"
                }
              }
            ],
            "category": "architecture",
            "name": "ppc64le"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "zabbix-agent-4.0.12-4.15.2.s390",
                "product": {
                  "name": "zabbix-agent-4.0.12-4.15.2.s390",
                  "product_id": "zabbix-agent-4.0.12-4.15.2.s390"
                }
              },
              {
                "category": "product_version",
                "name": "zabbix-java-gateway-4.0.12-4.15.2.s390",
                "product": {
                  "name": "zabbix-java-gateway-4.0.12-4.15.2.s390",
                  "product_id": "zabbix-java-gateway-4.0.12-4.15.2.s390"
                }
              },
              {
                "category": "product_version",
                "name": "zabbix-phpfrontend-4.0.12-4.15.2.s390",
                "product": {
                  "name": "zabbix-phpfrontend-4.0.12-4.15.2.s390",
                  "product_id": "zabbix-phpfrontend-4.0.12-4.15.2.s390"
                }
              },
              {
                "category": "product_version",
                "name": "zabbix-proxy-4.0.12-4.15.2.s390",
                "product": {
                  "name": "zabbix-proxy-4.0.12-4.15.2.s390",
                  "product_id": "zabbix-proxy-4.0.12-4.15.2.s390"
                }
              },
              {
                "category": "product_version",
                "name": "zabbix-proxy-mysql-4.0.12-4.15.2.s390",
                "product": {
                  "name": "zabbix-proxy-mysql-4.0.12-4.15.2.s390",
                  "product_id": "zabbix-proxy-mysql-4.0.12-4.15.2.s390"
                }
              },
              {
                "category": "product_version",
                "name": "zabbix-proxy-postgresql-4.0.12-4.15.2.s390",
                "product": {
                  "name": "zabbix-proxy-postgresql-4.0.12-4.15.2.s390",
                  "product_id": "zabbix-proxy-postgresql-4.0.12-4.15.2.s390"
                }
              },
              {
                "category": "product_version",
                "name": "zabbix-proxy-sqlite-4.0.12-4.15.2.s390",
                "product": {
                  "name": "zabbix-proxy-sqlite-4.0.12-4.15.2.s390",
                  "product_id": "zabbix-proxy-sqlite-4.0.12-4.15.2.s390"
                }
              },
              {
                "category": "product_version",
                "name": "zabbix-server-4.0.12-4.15.2.s390",
                "product": {
                  "name": "zabbix-server-4.0.12-4.15.2.s390",
                  "product_id": "zabbix-server-4.0.12-4.15.2.s390"
                }
              },
              {
                "category": "product_version",
                "name": "zabbix-server-mysql-4.0.12-4.15.2.s390",
                "product": {
                  "name": "zabbix-server-mysql-4.0.12-4.15.2.s390",
                  "product_id": "zabbix-server-mysql-4.0.12-4.15.2.s390"
                }
              },
              {
                "category": "product_version",
                "name": "zabbix-server-postgresql-4.0.12-4.15.2.s390",
                "product": {
                  "name": "zabbix-server-postgresql-4.0.12-4.15.2.s390",
                  "product_id": "zabbix-server-postgresql-4.0.12-4.15.2.s390"
                }
              }
            ],
            "category": "architecture",
            "name": "s390"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "zabbix-agent-4.0.12-4.15.2.s390x",
                "product": {
                  "name": "zabbix-agent-4.0.12-4.15.2.s390x",
                  "product_id": "zabbix-agent-4.0.12-4.15.2.s390x"
                }
              },
              {
                "category": "product_version",
                "name": "zabbix-java-gateway-4.0.12-4.15.2.s390x",
                "product": {
                  "name": "zabbix-java-gateway-4.0.12-4.15.2.s390x",
                  "product_id": "zabbix-java-gateway-4.0.12-4.15.2.s390x"
                }
              },
              {
                "category": "product_version",
                "name": "zabbix-phpfrontend-4.0.12-4.15.2.s390x",
                "product": {
                  "name": "zabbix-phpfrontend-4.0.12-4.15.2.s390x",
                  "product_id": "zabbix-phpfrontend-4.0.12-4.15.2.s390x"
                }
              },
              {
                "category": "product_version",
                "name": "zabbix-proxy-4.0.12-4.15.2.s390x",
                "product": {
                  "name": "zabbix-proxy-4.0.12-4.15.2.s390x",
                  "product_id": "zabbix-proxy-4.0.12-4.15.2.s390x"
                }
              },
              {
                "category": "product_version",
                "name": "zabbix-proxy-mysql-4.0.12-4.15.2.s390x",
                "product": {
                  "name": "zabbix-proxy-mysql-4.0.12-4.15.2.s390x",
                  "product_id": "zabbix-proxy-mysql-4.0.12-4.15.2.s390x"
                }
              },
              {
                "category": "product_version",
                "name": "zabbix-proxy-postgresql-4.0.12-4.15.2.s390x",
                "product": {
                  "name": "zabbix-proxy-postgresql-4.0.12-4.15.2.s390x",
                  "product_id": "zabbix-proxy-postgresql-4.0.12-4.15.2.s390x"
                }
              },
              {
                "category": "product_version",
                "name": "zabbix-proxy-sqlite-4.0.12-4.15.2.s390x",
                "product": {
                  "name": "zabbix-proxy-sqlite-4.0.12-4.15.2.s390x",
                  "product_id": "zabbix-proxy-sqlite-4.0.12-4.15.2.s390x"
                }
              },
              {
                "category": "product_version",
                "name": "zabbix-server-4.0.12-4.15.2.s390x",
                "product": {
                  "name": "zabbix-server-4.0.12-4.15.2.s390x",
                  "product_id": "zabbix-server-4.0.12-4.15.2.s390x"
                }
              },
              {
                "category": "product_version",
                "name": "zabbix-server-mysql-4.0.12-4.15.2.s390x",
                "product": {
                  "name": "zabbix-server-mysql-4.0.12-4.15.2.s390x",
                  "product_id": "zabbix-server-mysql-4.0.12-4.15.2.s390x"
                }
              },
              {
                "category": "product_version",
                "name": "zabbix-server-postgresql-4.0.12-4.15.2.s390x",
                "product": {
                  "name": "zabbix-server-postgresql-4.0.12-4.15.2.s390x",
                  "product_id": "zabbix-server-postgresql-4.0.12-4.15.2.s390x"
                }
              }
            ],
            "category": "architecture",
            "name": "s390x"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "zabbix-agent-4.0.12-4.15.2.x86_64",
                "product": {
                  "name": "zabbix-agent-4.0.12-4.15.2.x86_64",
                  "product_id": "zabbix-agent-4.0.12-4.15.2.x86_64"
                }
              },
              {
                "category": "product_version",
                "name": "zabbix-java-gateway-4.0.12-4.15.2.x86_64",
                "product": {
                  "name": "zabbix-java-gateway-4.0.12-4.15.2.x86_64",
                  "product_id": "zabbix-java-gateway-4.0.12-4.15.2.x86_64"
                }
              },
              {
                "category": "product_version",
                "name": "zabbix-phpfrontend-4.0.12-4.15.2.x86_64",
                "product": {
                  "name": "zabbix-phpfrontend-4.0.12-4.15.2.x86_64",
                  "product_id": "zabbix-phpfrontend-4.0.12-4.15.2.x86_64"
                }
              },
              {
                "category": "product_version",
                "name": "zabbix-proxy-4.0.12-4.15.2.x86_64",
                "product": {
                  "name": "zabbix-proxy-4.0.12-4.15.2.x86_64",
                  "product_id": "zabbix-proxy-4.0.12-4.15.2.x86_64"
                }
              },
              {
                "category": "product_version",
                "name": "zabbix-proxy-mysql-4.0.12-4.15.2.x86_64",
                "product": {
                  "name": "zabbix-proxy-mysql-4.0.12-4.15.2.x86_64",
                  "product_id": "zabbix-proxy-mysql-4.0.12-4.15.2.x86_64"
                }
              },
              {
                "category": "product_version",
                "name": "zabbix-proxy-postgresql-4.0.12-4.15.2.x86_64",
                "product": {
                  "name": "zabbix-proxy-postgresql-4.0.12-4.15.2.x86_64",
                  "product_id": "zabbix-proxy-postgresql-4.0.12-4.15.2.x86_64"
                }
              },
              {
                "category": "product_version",
                "name": "zabbix-proxy-sqlite-4.0.12-4.15.2.x86_64",
                "product": {
                  "name": "zabbix-proxy-sqlite-4.0.12-4.15.2.x86_64",
                  "product_id": "zabbix-proxy-sqlite-4.0.12-4.15.2.x86_64"
                }
              },
              {
                "category": "product_version",
                "name": "zabbix-server-4.0.12-4.15.2.x86_64",
                "product": {
                  "name": "zabbix-server-4.0.12-4.15.2.x86_64",
                  "product_id": "zabbix-server-4.0.12-4.15.2.x86_64"
                }
              },
              {
                "category": "product_version",
                "name": "zabbix-server-mysql-4.0.12-4.15.2.x86_64",
                "product": {
                  "name": "zabbix-server-mysql-4.0.12-4.15.2.x86_64",
                  "product_id": "zabbix-server-mysql-4.0.12-4.15.2.x86_64"
                }
              },
              {
                "category": "product_version",
                "name": "zabbix-server-postgresql-4.0.12-4.15.2.x86_64",
                "product": {
                  "name": "zabbix-server-postgresql-4.0.12-4.15.2.x86_64",
                  "product_id": "zabbix-server-postgresql-4.0.12-4.15.2.x86_64"
                }
              }
            ],
            "category": "architecture",
            "name": "x86_64"
          },
          {
            "branches": [
              {
                "category": "product_name",
                "name": "SUSE Linux Enterprise Server 12 SP5",
                "product": {
                  "name": "SUSE Linux Enterprise Server 12 SP5",
                  "product_id": "SUSE Linux Enterprise Server 12 SP5",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:suse:sles:12:sp5"
                  }
                }
              },
              {
                "category": "product_name",
                "name": "SUSE Linux Enterprise Server for SAP Applications 12 SP5",
                "product": {
                  "name": "SUSE Linux Enterprise Server for SAP Applications 12 SP5",
                  "product_id": "SUSE Linux Enterprise Server for SAP Applications 12 SP5",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:suse:sles_sap:12:sp5"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "SUSE Linux Enterprise"
          }
        ],
        "category": "vendor",
        "name": "SUSE"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "zabbix-agent-4.0.12-4.15.2.aarch64 as component of SUSE Linux Enterprise Server 12 SP5",
          "product_id": "SUSE Linux Enterprise Server 12 SP5:zabbix-agent-4.0.12-4.15.2.aarch64"
        },
        "product_reference": "zabbix-agent-4.0.12-4.15.2.aarch64",
        "relates_to_product_reference": "SUSE Linux Enterprise Server 12 SP5"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "zabbix-agent-4.0.12-4.15.2.ppc64le as component of SUSE Linux Enterprise Server 12 SP5",
          "product_id": "SUSE Linux Enterprise Server 12 SP5:zabbix-agent-4.0.12-4.15.2.ppc64le"
        },
        "product_reference": "zabbix-agent-4.0.12-4.15.2.ppc64le",
        "relates_to_product_reference": "SUSE Linux Enterprise Server 12 SP5"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "zabbix-agent-4.0.12-4.15.2.s390x as component of SUSE Linux Enterprise Server 12 SP5",
          "product_id": "SUSE Linux Enterprise Server 12 SP5:zabbix-agent-4.0.12-4.15.2.s390x"
        },
        "product_reference": "zabbix-agent-4.0.12-4.15.2.s390x",
        "relates_to_product_reference": "SUSE Linux Enterprise Server 12 SP5"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "zabbix-agent-4.0.12-4.15.2.x86_64 as component of SUSE Linux Enterprise Server 12 SP5",
          "product_id": "SUSE Linux Enterprise Server 12 SP5:zabbix-agent-4.0.12-4.15.2.x86_64"
        },
        "product_reference": "zabbix-agent-4.0.12-4.15.2.x86_64",
        "relates_to_product_reference": "SUSE Linux Enterprise Server 12 SP5"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "zabbix-agent-4.0.12-4.15.2.aarch64 as component of SUSE Linux Enterprise Server for SAP Applications 12 SP5",
          "product_id": "SUSE Linux Enterprise Server for SAP Applications 12 SP5:zabbix-agent-4.0.12-4.15.2.aarch64"
        },
        "product_reference": "zabbix-agent-4.0.12-4.15.2.aarch64",
        "relates_to_product_reference": "SUSE Linux Enterprise Server for SAP Applications 12 SP5"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "zabbix-agent-4.0.12-4.15.2.ppc64le as component of SUSE Linux Enterprise Server for SAP Applications 12 SP5",
          "product_id": "SUSE Linux Enterprise Server for SAP Applications 12 SP5:zabbix-agent-4.0.12-4.15.2.ppc64le"
        },
        "product_reference": "zabbix-agent-4.0.12-4.15.2.ppc64le",
        "relates_to_product_reference": "SUSE Linux Enterprise Server for SAP Applications 12 SP5"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "zabbix-agent-4.0.12-4.15.2.s390x as component of SUSE Linux Enterprise Server for SAP Applications 12 SP5",
          "product_id": "SUSE Linux Enterprise Server for SAP Applications 12 SP5:zabbix-agent-4.0.12-4.15.2.s390x"
        },
        "product_reference": "zabbix-agent-4.0.12-4.15.2.s390x",
        "relates_to_product_reference": "SUSE Linux Enterprise Server for SAP Applications 12 SP5"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "zabbix-agent-4.0.12-4.15.2.x86_64 as component of SUSE Linux Enterprise Server for SAP Applications 12 SP5",
          "product_id": "SUSE Linux Enterprise Server for SAP Applications 12 SP5:zabbix-agent-4.0.12-4.15.2.x86_64"
        },
        "product_reference": "zabbix-agent-4.0.12-4.15.2.x86_64",
        "relates_to_product_reference": "SUSE Linux Enterprise Server for SAP Applications 12 SP5"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2022-24349",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2022-24349"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "An authenticated user can create a link with reflected XSS payload for actions\u0027 pages, and send it to other users. Malicious code has access to all the same objects as the rest of the web page and can make arbitrary modifications to the contents of the page being displayed to a victim. This attack can be implemented with the help of social engineering and expiration of a number of factors - an attacker should have authorized access to the Zabbix Frontend and allowed network connection between a malicious server and victim\u0027s computer, understand attacked infrastructure, be recognized by the victim as a trustee and use trusted communication channel.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "SUSE Linux Enterprise Server 12 SP5:zabbix-agent-4.0.12-4.15.2.aarch64",
          "SUSE Linux Enterprise Server 12 SP5:zabbix-agent-4.0.12-4.15.2.ppc64le",
          "SUSE Linux Enterprise Server 12 SP5:zabbix-agent-4.0.12-4.15.2.s390x",
          "SUSE Linux Enterprise Server 12 SP5:zabbix-agent-4.0.12-4.15.2.x86_64",
          "SUSE Linux Enterprise Server for SAP Applications 12 SP5:zabbix-agent-4.0.12-4.15.2.aarch64",
          "SUSE Linux Enterprise Server for SAP Applications 12 SP5:zabbix-agent-4.0.12-4.15.2.ppc64le",
          "SUSE Linux Enterprise Server for SAP Applications 12 SP5:zabbix-agent-4.0.12-4.15.2.s390x",
          "SUSE Linux Enterprise Server for SAP Applications 12 SP5:zabbix-agent-4.0.12-4.15.2.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2022-24349",
          "url": "https://www.suse.com/security/cve/CVE-2022-24349"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1196944 for CVE-2022-24349",
          "url": "https://bugzilla.suse.com/1196944"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "SUSE Linux Enterprise Server 12 SP5:zabbix-agent-4.0.12-4.15.2.aarch64",
            "SUSE Linux Enterprise Server 12 SP5:zabbix-agent-4.0.12-4.15.2.ppc64le",
            "SUSE Linux Enterprise Server 12 SP5:zabbix-agent-4.0.12-4.15.2.s390x",
            "SUSE Linux Enterprise Server 12 SP5:zabbix-agent-4.0.12-4.15.2.x86_64",
            "SUSE Linux Enterprise Server for SAP Applications 12 SP5:zabbix-agent-4.0.12-4.15.2.aarch64",
            "SUSE Linux Enterprise Server for SAP Applications 12 SP5:zabbix-agent-4.0.12-4.15.2.ppc64le",
            "SUSE Linux Enterprise Server for SAP Applications 12 SP5:zabbix-agent-4.0.12-4.15.2.s390x",
            "SUSE Linux Enterprise Server for SAP Applications 12 SP5:zabbix-agent-4.0.12-4.15.2.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 4.6,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:L",
            "version": "3.1"
          },
          "products": [
            "SUSE Linux Enterprise Server 12 SP5:zabbix-agent-4.0.12-4.15.2.aarch64",
            "SUSE Linux Enterprise Server 12 SP5:zabbix-agent-4.0.12-4.15.2.ppc64le",
            "SUSE Linux Enterprise Server 12 SP5:zabbix-agent-4.0.12-4.15.2.s390x",
            "SUSE Linux Enterprise Server 12 SP5:zabbix-agent-4.0.12-4.15.2.x86_64",
            "SUSE Linux Enterprise Server for SAP Applications 12 SP5:zabbix-agent-4.0.12-4.15.2.aarch64",
            "SUSE Linux Enterprise Server for SAP Applications 12 SP5:zabbix-agent-4.0.12-4.15.2.ppc64le",
            "SUSE Linux Enterprise Server for SAP Applications 12 SP5:zabbix-agent-4.0.12-4.15.2.s390x",
            "SUSE Linux Enterprise Server for SAP Applications 12 SP5:zabbix-agent-4.0.12-4.15.2.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2022-04-19T07:12:53Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2022-24349"
    },
    {
      "cve": "CVE-2022-24917",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2022-24917"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "An authenticated user can create a link with reflected Javascript code inside it for services\u0027 page and send it to other users. The payload can be executed only with a known CSRF token value of the victim, which is changed periodically and is difficult to predict. Malicious code has access to all the same objects as the rest of the web page and can make arbitrary modifications to the contents of the page being displayed to a victim during social engineering attacks.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "SUSE Linux Enterprise Server 12 SP5:zabbix-agent-4.0.12-4.15.2.aarch64",
          "SUSE Linux Enterprise Server 12 SP5:zabbix-agent-4.0.12-4.15.2.ppc64le",
          "SUSE Linux Enterprise Server 12 SP5:zabbix-agent-4.0.12-4.15.2.s390x",
          "SUSE Linux Enterprise Server 12 SP5:zabbix-agent-4.0.12-4.15.2.x86_64",
          "SUSE Linux Enterprise Server for SAP Applications 12 SP5:zabbix-agent-4.0.12-4.15.2.aarch64",
          "SUSE Linux Enterprise Server for SAP Applications 12 SP5:zabbix-agent-4.0.12-4.15.2.ppc64le",
          "SUSE Linux Enterprise Server for SAP Applications 12 SP5:zabbix-agent-4.0.12-4.15.2.s390x",
          "SUSE Linux Enterprise Server for SAP Applications 12 SP5:zabbix-agent-4.0.12-4.15.2.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2022-24917",
          "url": "https://www.suse.com/security/cve/CVE-2022-24917"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1196945 for CVE-2022-24917",
          "url": "https://bugzilla.suse.com/1196945"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "SUSE Linux Enterprise Server 12 SP5:zabbix-agent-4.0.12-4.15.2.aarch64",
            "SUSE Linux Enterprise Server 12 SP5:zabbix-agent-4.0.12-4.15.2.ppc64le",
            "SUSE Linux Enterprise Server 12 SP5:zabbix-agent-4.0.12-4.15.2.s390x",
            "SUSE Linux Enterprise Server 12 SP5:zabbix-agent-4.0.12-4.15.2.x86_64",
            "SUSE Linux Enterprise Server for SAP Applications 12 SP5:zabbix-agent-4.0.12-4.15.2.aarch64",
            "SUSE Linux Enterprise Server for SAP Applications 12 SP5:zabbix-agent-4.0.12-4.15.2.ppc64le",
            "SUSE Linux Enterprise Server for SAP Applications 12 SP5:zabbix-agent-4.0.12-4.15.2.s390x",
            "SUSE Linux Enterprise Server for SAP Applications 12 SP5:zabbix-agent-4.0.12-4.15.2.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 3.7,
            "baseSeverity": "LOW",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N",
            "version": "3.1"
          },
          "products": [
            "SUSE Linux Enterprise Server 12 SP5:zabbix-agent-4.0.12-4.15.2.aarch64",
            "SUSE Linux Enterprise Server 12 SP5:zabbix-agent-4.0.12-4.15.2.ppc64le",
            "SUSE Linux Enterprise Server 12 SP5:zabbix-agent-4.0.12-4.15.2.s390x",
            "SUSE Linux Enterprise Server 12 SP5:zabbix-agent-4.0.12-4.15.2.x86_64",
            "SUSE Linux Enterprise Server for SAP Applications 12 SP5:zabbix-agent-4.0.12-4.15.2.aarch64",
            "SUSE Linux Enterprise Server for SAP Applications 12 SP5:zabbix-agent-4.0.12-4.15.2.ppc64le",
            "SUSE Linux Enterprise Server for SAP Applications 12 SP5:zabbix-agent-4.0.12-4.15.2.s390x",
            "SUSE Linux Enterprise Server for SAP Applications 12 SP5:zabbix-agent-4.0.12-4.15.2.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2022-04-19T07:12:53Z",
          "details": "low"
        }
      ],
      "title": "CVE-2022-24917"
    },
    {
      "cve": "CVE-2022-24918",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2022-24918"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "An authenticated user can create a link with reflected Javascript code inside it for items\u0027 page and send it to other users. The payload can be executed only with a known CSRF token value of the victim, which is changed periodically and is difficult to predict. Malicious code has access to all the same objects as the rest of the web page and can make arbitrary modifications to the contents of the page being displayed to a victim during social engineering attacks.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "SUSE Linux Enterprise Server 12 SP5:zabbix-agent-4.0.12-4.15.2.aarch64",
          "SUSE Linux Enterprise Server 12 SP5:zabbix-agent-4.0.12-4.15.2.ppc64le",
          "SUSE Linux Enterprise Server 12 SP5:zabbix-agent-4.0.12-4.15.2.s390x",
          "SUSE Linux Enterprise Server 12 SP5:zabbix-agent-4.0.12-4.15.2.x86_64",
          "SUSE Linux Enterprise Server for SAP Applications 12 SP5:zabbix-agent-4.0.12-4.15.2.aarch64",
          "SUSE Linux Enterprise Server for SAP Applications 12 SP5:zabbix-agent-4.0.12-4.15.2.ppc64le",
          "SUSE Linux Enterprise Server for SAP Applications 12 SP5:zabbix-agent-4.0.12-4.15.2.s390x",
          "SUSE Linux Enterprise Server for SAP Applications 12 SP5:zabbix-agent-4.0.12-4.15.2.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2022-24918",
          "url": "https://www.suse.com/security/cve/CVE-2022-24918"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1196946 for CVE-2022-24918",
          "url": "https://bugzilla.suse.com/1196946"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "SUSE Linux Enterprise Server 12 SP5:zabbix-agent-4.0.12-4.15.2.aarch64",
            "SUSE Linux Enterprise Server 12 SP5:zabbix-agent-4.0.12-4.15.2.ppc64le",
            "SUSE Linux Enterprise Server 12 SP5:zabbix-agent-4.0.12-4.15.2.s390x",
            "SUSE Linux Enterprise Server 12 SP5:zabbix-agent-4.0.12-4.15.2.x86_64",
            "SUSE Linux Enterprise Server for SAP Applications 12 SP5:zabbix-agent-4.0.12-4.15.2.aarch64",
            "SUSE Linux Enterprise Server for SAP Applications 12 SP5:zabbix-agent-4.0.12-4.15.2.ppc64le",
            "SUSE Linux Enterprise Server for SAP Applications 12 SP5:zabbix-agent-4.0.12-4.15.2.s390x",
            "SUSE Linux Enterprise Server for SAP Applications 12 SP5:zabbix-agent-4.0.12-4.15.2.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 3.7,
            "baseSeverity": "LOW",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N",
            "version": "3.1"
          },
          "products": [
            "SUSE Linux Enterprise Server 12 SP5:zabbix-agent-4.0.12-4.15.2.aarch64",
            "SUSE Linux Enterprise Server 12 SP5:zabbix-agent-4.0.12-4.15.2.ppc64le",
            "SUSE Linux Enterprise Server 12 SP5:zabbix-agent-4.0.12-4.15.2.s390x",
            "SUSE Linux Enterprise Server 12 SP5:zabbix-agent-4.0.12-4.15.2.x86_64",
            "SUSE Linux Enterprise Server for SAP Applications 12 SP5:zabbix-agent-4.0.12-4.15.2.aarch64",
            "SUSE Linux Enterprise Server for SAP Applications 12 SP5:zabbix-agent-4.0.12-4.15.2.ppc64le",
            "SUSE Linux Enterprise Server for SAP Applications 12 SP5:zabbix-agent-4.0.12-4.15.2.s390x",
            "SUSE Linux Enterprise Server for SAP Applications 12 SP5:zabbix-agent-4.0.12-4.15.2.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2022-04-19T07:12:53Z",
          "details": "low"
        }
      ],
      "title": "CVE-2022-24918"
    },
    {
      "cve": "CVE-2022-24919",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2022-24919"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "An authenticated user can create a link with reflected Javascript code inside it for graphs\u0027 page and send it to other users. The payload can be executed only with a known CSRF token value of the victim, which is changed periodically and is difficult to predict. Malicious code has access to all the same objects as the rest of the web page and can make arbitrary modifications to the contents of the page being displayed to a victim during social engineering attacks.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "SUSE Linux Enterprise Server 12 SP5:zabbix-agent-4.0.12-4.15.2.aarch64",
          "SUSE Linux Enterprise Server 12 SP5:zabbix-agent-4.0.12-4.15.2.ppc64le",
          "SUSE Linux Enterprise Server 12 SP5:zabbix-agent-4.0.12-4.15.2.s390x",
          "SUSE Linux Enterprise Server 12 SP5:zabbix-agent-4.0.12-4.15.2.x86_64",
          "SUSE Linux Enterprise Server for SAP Applications 12 SP5:zabbix-agent-4.0.12-4.15.2.aarch64",
          "SUSE Linux Enterprise Server for SAP Applications 12 SP5:zabbix-agent-4.0.12-4.15.2.ppc64le",
          "SUSE Linux Enterprise Server for SAP Applications 12 SP5:zabbix-agent-4.0.12-4.15.2.s390x",
          "SUSE Linux Enterprise Server for SAP Applications 12 SP5:zabbix-agent-4.0.12-4.15.2.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2022-24919",
          "url": "https://www.suse.com/security/cve/CVE-2022-24919"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1196947 for CVE-2022-24919",
          "url": "https://bugzilla.suse.com/1196947"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "SUSE Linux Enterprise Server 12 SP5:zabbix-agent-4.0.12-4.15.2.aarch64",
            "SUSE Linux Enterprise Server 12 SP5:zabbix-agent-4.0.12-4.15.2.ppc64le",
            "SUSE Linux Enterprise Server 12 SP5:zabbix-agent-4.0.12-4.15.2.s390x",
            "SUSE Linux Enterprise Server 12 SP5:zabbix-agent-4.0.12-4.15.2.x86_64",
            "SUSE Linux Enterprise Server for SAP Applications 12 SP5:zabbix-agent-4.0.12-4.15.2.aarch64",
            "SUSE Linux Enterprise Server for SAP Applications 12 SP5:zabbix-agent-4.0.12-4.15.2.ppc64le",
            "SUSE Linux Enterprise Server for SAP Applications 12 SP5:zabbix-agent-4.0.12-4.15.2.s390x",
            "SUSE Linux Enterprise Server for SAP Applications 12 SP5:zabbix-agent-4.0.12-4.15.2.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 3.7,
            "baseSeverity": "LOW",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N",
            "version": "3.1"
          },
          "products": [
            "SUSE Linux Enterprise Server 12 SP5:zabbix-agent-4.0.12-4.15.2.aarch64",
            "SUSE Linux Enterprise Server 12 SP5:zabbix-agent-4.0.12-4.15.2.ppc64le",
            "SUSE Linux Enterprise Server 12 SP5:zabbix-agent-4.0.12-4.15.2.s390x",
            "SUSE Linux Enterprise Server 12 SP5:zabbix-agent-4.0.12-4.15.2.x86_64",
            "SUSE Linux Enterprise Server for SAP Applications 12 SP5:zabbix-agent-4.0.12-4.15.2.aarch64",
            "SUSE Linux Enterprise Server for SAP Applications 12 SP5:zabbix-agent-4.0.12-4.15.2.ppc64le",
            "SUSE Linux Enterprise Server for SAP Applications 12 SP5:zabbix-agent-4.0.12-4.15.2.s390x",
            "SUSE Linux Enterprise Server for SAP Applications 12 SP5:zabbix-agent-4.0.12-4.15.2.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2022-04-19T07:12:53Z",
          "details": "low"
        }
      ],
      "title": "CVE-2022-24919"
    }
  ]
}

CVE-2022-24917 (GCVE-0-2022-24917)

Vulnerability from cvelistv5

Published

2022-03-09 19:30

Modified

2024-09-17 03:42

Severity ?

3.7 (Low) - CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N

CWE

CWE-79 - Cross-site Scripting (XSS)

Summary

An authenticated user can create a link with reflected Javascript code inside it for services’ page and send it to other users. The payload can be executed only with a known CSRF token value of the victim, which is changed periodically and is difficult to predict. Malicious code has access to all the same objects as the rest of the web page and can make arbitrary modifications to the contents of the page being displayed to a victim during social engineering attacks.

References

►

URL

Tags

	https://support.zabbix.com/browse/ZBX-20680
	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2V4N22R3QVTYAJMWFK2U2O6QXAZYM35Z/	vendor-advisory
	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SWDZONUHDYKBXTAIAGHSYQDEGORD2QT7/	vendor-advisory
	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QWP6UBFA5T6MOQPY2VDUG5YAJBFPYRFF/	vendor-advisory
	https://lists.debian.org/debian-lts-announce/2022/04/msg00011.html	mailing-list
	https://lists.debian.org/debian-lts-announce/2023/04/msg00013.html	mailing-list

Impacted products

	Vendor	Product	Version
	Zabbix	Frontend	Version: 4.0.0-4.0.38 Version: 5.0.0-5.0.20 Version: 5.4.0-5.4.10 Patch: 4.0.39rc1 < unspecified Patch: 5.0.21rc1 < unspecified Patch: 5.4.11rc1 < unspecified

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T04:29:01.621Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://support.zabbix.com/browse/ZBX-20680"
          },
          {
            "name": "FEDORA-2022-5fab125c08",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2V4N22R3QVTYAJMWFK2U2O6QXAZYM35Z/"
          },
          {
            "name": "FEDORA-2022-d714c0d39c",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SWDZONUHDYKBXTAIAGHSYQDEGORD2QT7/"
          },
          {
            "name": "FEDORA-2022-19a9053f17",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QWP6UBFA5T6MOQPY2VDUG5YAJBFPYRFF/"
          },
          {
            "name": "[debian-lts-announce] 20220412 [SECURITY] [DLA 2980-1] zabbix security update",
            "tags": [
              "mailing-list",
              "x_transferred"
            ],
            "url": "https://lists.debian.org/debian-lts-announce/2022/04/msg00011.html"
          },
          {
            "name": "[debian-lts-announce] 20230412 [SECURITY] [DLA 3390-1] zabbix security update",
            "tags": [
              "mailing-list",
              "x_transferred"
            ],
            "url": "https://lists.debian.org/debian-lts-announce/2023/04/msg00013.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Frontend",
          "vendor": "Zabbix",
          "versions": [
            {
              "status": "affected",
              "version": "4.0.0-4.0.38"
            },
            {
              "status": "affected",
              "version": "5.0.0-5.0.20"
            },
            {
              "status": "affected",
              "version": "5.4.0-5.4.10"
            },
            {
              "lessThan": "unspecified",
              "status": "unaffected",
              "version": "4.0.39rc1",
              "versionType": "custom"
            },
            {
              "lessThan": "unspecified",
              "status": "unaffected",
              "version": "5.0.21rc1",
              "versionType": "custom"
            },
            {
              "lessThan": "unspecified",
              "status": "unaffected",
              "version": "5.4.11rc1",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "internal research"
        }
      ],
      "datePublic": "2022-02-02T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "An authenticated user can create a link with reflected Javascript code inside it for services\u2019 page and send it to other users. The payload can be executed only with a known CSRF token value of the victim, which is changed periodically and is difficult to predict. Malicious code has access to all the same objects as the rest of the web page and can make arbitrary modifications to the contents of the page being displayed to a victim during social engineering attacks."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 3.7,
            "baseSeverity": "LOW",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-79",
              "description": "CWE-79 Cross-site Scripting (XSS)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2023-04-12T00:00:00",
        "orgId": "72de3e22-0555-4a0d-ae81-9249e0f0a1e8",
        "shortName": "Zabbix"
      },
      "references": [
        {
          "url": "https://support.zabbix.com/browse/ZBX-20680"
        },
        {
          "name": "FEDORA-2022-5fab125c08",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2V4N22R3QVTYAJMWFK2U2O6QXAZYM35Z/"
        },
        {
          "name": "FEDORA-2022-d714c0d39c",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SWDZONUHDYKBXTAIAGHSYQDEGORD2QT7/"
        },
        {
          "name": "FEDORA-2022-19a9053f17",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QWP6UBFA5T6MOQPY2VDUG5YAJBFPYRFF/"
        },
        {
          "name": "[debian-lts-announce] 20220412 [SECURITY] [DLA 2980-1] zabbix security update",
          "tags": [
            "mailing-list"
          ],
          "url": "https://lists.debian.org/debian-lts-announce/2022/04/msg00011.html"
        },
        {
          "name": "[debian-lts-announce] 20230412 [SECURITY] [DLA 3390-1] zabbix security update",
          "tags": [
            "mailing-list"
          ],
          "url": "https://lists.debian.org/debian-lts-announce/2023/04/msg00013.html"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "value": "To remediate this vulnerability, apply the updates"
        }
      ],
      "source": {
        "discovery": "INTERNAL"
      },
      "title": "Reflected XSS in service configuration window of Zabbix Frontend",
      "workarounds": [
        {
          "lang": "en",
          "value": "No workaround"
        }
      ],
      "x_generator": {
        "engine": "Vulnogram 0.0.9"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "72de3e22-0555-4a0d-ae81-9249e0f0a1e8",
    "assignerShortName": "Zabbix",
    "cveId": "CVE-2022-24917",
    "datePublished": "2022-03-09T19:30:28.388962Z",
    "dateReserved": "2022-02-10T00:00:00",
    "dateUpdated": "2024-09-17T03:42:34.180Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2022-24919 (GCVE-0-2022-24919)

Vulnerability from cvelistv5

Published

2022-03-09 19:30

Modified

2024-09-17 02:16

Severity ?

3.7 (Low) - CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N

CWE

CWE-79 - Cross-site Scripting (XSS)

Summary

An authenticated user can create a link with reflected Javascript code inside it for graphs’ page and send it to other users. The payload can be executed only with a known CSRF token value of the victim, which is changed periodically and is difficult to predict. Malicious code has access to all the same objects as the rest of the web page and can make arbitrary modifications to the contents of the page being displayed to a victim during social engineering attacks.

References

►

URL

Tags

	https://support.zabbix.com/browse/ZBX-20680
	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2V4N22R3QVTYAJMWFK2U2O6QXAZYM35Z/	vendor-advisory
	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SWDZONUHDYKBXTAIAGHSYQDEGORD2QT7/	vendor-advisory
	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QWP6UBFA5T6MOQPY2VDUG5YAJBFPYRFF/	vendor-advisory
	https://lists.debian.org/debian-lts-announce/2022/04/msg00011.html	mailing-list
	https://lists.debian.org/debian-lts-announce/2023/04/msg00013.html	mailing-list

Impacted products

	Vendor	Product	Version
	Zabbix	Frontend	Version: 4.0.0-4.0.38 Version: 5.0.0-5.0.20 Version: 5.4.0-5.4.10 Version: 6.0 Patch: 4.0.39rc1 < unspecified Patch: 5.0.21rc1 < unspecified Patch: 5.4.11rc1 < unspecified Patch: 6.0.1rc1 < unspecified

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T04:29:01.858Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://support.zabbix.com/browse/ZBX-20680"
          },
          {
            "name": "FEDORA-2022-5fab125c08",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2V4N22R3QVTYAJMWFK2U2O6QXAZYM35Z/"
          },
          {
            "name": "FEDORA-2022-d714c0d39c",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SWDZONUHDYKBXTAIAGHSYQDEGORD2QT7/"
          },
          {
            "name": "FEDORA-2022-19a9053f17",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QWP6UBFA5T6MOQPY2VDUG5YAJBFPYRFF/"
          },
          {
            "name": "[debian-lts-announce] 20220412 [SECURITY] [DLA 2980-1] zabbix security update",
            "tags": [
              "mailing-list",
              "x_transferred"
            ],
            "url": "https://lists.debian.org/debian-lts-announce/2022/04/msg00011.html"
          },
          {
            "name": "[debian-lts-announce] 20230412 [SECURITY] [DLA 3390-1] zabbix security update",
            "tags": [
              "mailing-list",
              "x_transferred"
            ],
            "url": "https://lists.debian.org/debian-lts-announce/2023/04/msg00013.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Frontend",
          "vendor": "Zabbix",
          "versions": [
            {
              "status": "affected",
              "version": "4.0.0-4.0.38"
            },
            {
              "status": "affected",
              "version": "5.0.0-5.0.20"
            },
            {
              "status": "affected",
              "version": "5.4.0-5.4.10"
            },
            {
              "status": "affected",
              "version": "6.0"
            },
            {
              "lessThan": "unspecified",
              "status": "unaffected",
              "version": "4.0.39rc1",
              "versionType": "custom"
            },
            {
              "lessThan": "unspecified",
              "status": "unaffected",
              "version": "5.0.21rc1",
              "versionType": "custom"
            },
            {
              "lessThan": "unspecified",
              "status": "unaffected",
              "version": "5.4.11rc1",
              "versionType": "custom"
            },
            {
              "lessThan": "unspecified",
              "status": "unaffected",
              "version": "6.0.1rc1",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "internal research"
        }
      ],
      "datePublic": "2022-02-01T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "An authenticated user can create a link with reflected Javascript code inside it for graphs\u2019 page and send it to other users. The payload can be executed only with a known CSRF token value of the victim, which is changed periodically and is difficult to predict. Malicious code has access to all the same objects as the rest of the web page and can make arbitrary modifications to the contents of the page being displayed to a victim during social engineering attacks."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 3.7,
            "baseSeverity": "LOW",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-79",
              "description": "CWE-79 Cross-site Scripting (XSS)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2023-04-12T00:00:00",
        "orgId": "72de3e22-0555-4a0d-ae81-9249e0f0a1e8",
        "shortName": "Zabbix"
      },
      "references": [
        {
          "url": "https://support.zabbix.com/browse/ZBX-20680"
        },
        {
          "name": "FEDORA-2022-5fab125c08",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2V4N22R3QVTYAJMWFK2U2O6QXAZYM35Z/"
        },
        {
          "name": "FEDORA-2022-d714c0d39c",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SWDZONUHDYKBXTAIAGHSYQDEGORD2QT7/"
        },
        {
          "name": "FEDORA-2022-19a9053f17",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QWP6UBFA5T6MOQPY2VDUG5YAJBFPYRFF/"
        },
        {
          "name": "[debian-lts-announce] 20220412 [SECURITY] [DLA 2980-1] zabbix security update",
          "tags": [
            "mailing-list"
          ],
          "url": "https://lists.debian.org/debian-lts-announce/2022/04/msg00011.html"
        },
        {
          "name": "[debian-lts-announce] 20230412 [SECURITY] [DLA 3390-1] zabbix security update",
          "tags": [
            "mailing-list"
          ],
          "url": "https://lists.debian.org/debian-lts-announce/2023/04/msg00013.html"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "value": "To remediate this vulnerability, apply the updates"
        }
      ],
      "source": {
        "discovery": "INTERNAL"
      },
      "title": "Reflected XSS in graph configuration window of Zabbix Frontend",
      "workarounds": [
        {
          "lang": "en",
          "value": "No workaround"
        }
      ],
      "x_generator": {
        "engine": "Vulnogram 0.0.9"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "72de3e22-0555-4a0d-ae81-9249e0f0a1e8",
    "assignerShortName": "Zabbix",
    "cveId": "CVE-2022-24919",
    "datePublished": "2022-03-09T19:30:31.234041Z",
    "dateReserved": "2022-02-10T00:00:00",
    "dateUpdated": "2024-09-17T02:16:12.409Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2022-24918 (GCVE-0-2022-24918)

Vulnerability from cvelistv5

Published

2022-03-09 19:30

Modified

2024-09-16 18:44

Severity ?

3.7 (Low) - CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N

CWE

CWE-79 - Cross-site Scripting (XSS)

Summary

An authenticated user can create a link with reflected Javascript code inside it for items’ page and send it to other users. The payload can be executed only with a known CSRF token value of the victim, which is changed periodically and is difficult to predict. Malicious code has access to all the same objects as the rest of the web page and can make arbitrary modifications to the contents of the page being displayed to a victim during social engineering attacks.

References

►

URL

Tags

	https://support.zabbix.com/browse/ZBX-20680	x_refsource_MISC
	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2V4N22R3QVTYAJMWFK2U2O6QXAZYM35Z/	vendor-advisory, x_refsource_FEDORA
	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SWDZONUHDYKBXTAIAGHSYQDEGORD2QT7/	vendor-advisory, x_refsource_FEDORA
	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QWP6UBFA5T6MOQPY2VDUG5YAJBFPYRFF/	vendor-advisory, x_refsource_FEDORA

Impacted products

	Vendor	Product	Version
	Zabbix	Frontend	Version: 5.0.0-5.0.20 Version: 5.4.0-5.4.10 Version: 6.0 Patch: 5.0.21rc1 < unspecified Patch: 5.4.11rc1 < unspecified Patch: 6.0.1rc1 < unspecified

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T04:29:01.739Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://support.zabbix.com/browse/ZBX-20680"
          },
          {
            "name": "FEDORA-2022-5fab125c08",
            "tags": [
              "vendor-advisory",
              "x_refsource_FEDORA",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2V4N22R3QVTYAJMWFK2U2O6QXAZYM35Z/"
          },
          {
            "name": "FEDORA-2022-d714c0d39c",
            "tags": [
              "vendor-advisory",
              "x_refsource_FEDORA",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SWDZONUHDYKBXTAIAGHSYQDEGORD2QT7/"
          },
          {
            "name": "FEDORA-2022-19a9053f17",
            "tags": [
              "vendor-advisory",
              "x_refsource_FEDORA",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QWP6UBFA5T6MOQPY2VDUG5YAJBFPYRFF/"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Frontend",
          "vendor": "Zabbix",
          "versions": [
            {
              "status": "affected",
              "version": "5.0.0-5.0.20"
            },
            {
              "status": "affected",
              "version": "5.4.0-5.4.10"
            },
            {
              "status": "affected",
              "version": "6.0"
            },
            {
              "lessThan": "unspecified",
              "status": "unaffected",
              "version": "5.0.21rc1",
              "versionType": "custom"
            },
            {
              "lessThan": "unspecified",
              "status": "unaffected",
              "version": "5.4.11rc1",
              "versionType": "custom"
            },
            {
              "lessThan": "unspecified",
              "status": "unaffected",
              "version": "6.0.1rc1",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "internal research"
        }
      ],
      "datePublic": "2022-02-01T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "An authenticated user can create a link with reflected Javascript code inside it for items\u2019 page and send it to other users. The payload can be executed only with a known CSRF token value of the victim, which is changed periodically and is difficult to predict. Malicious code has access to all the same objects as the rest of the web page and can make arbitrary modifications to the contents of the page being displayed to a victim during social engineering attacks."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 3.7,
            "baseSeverity": "LOW",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-79",
              "description": "CWE-79 Cross-site Scripting (XSS)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2022-03-26T18:06:59",
        "orgId": "72de3e22-0555-4a0d-ae81-9249e0f0a1e8",
        "shortName": "Zabbix"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://support.zabbix.com/browse/ZBX-20680"
        },
        {
          "name": "FEDORA-2022-5fab125c08",
          "tags": [
            "vendor-advisory",
            "x_refsource_FEDORA"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2V4N22R3QVTYAJMWFK2U2O6QXAZYM35Z/"
        },
        {
          "name": "FEDORA-2022-d714c0d39c",
          "tags": [
            "vendor-advisory",
            "x_refsource_FEDORA"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SWDZONUHDYKBXTAIAGHSYQDEGORD2QT7/"
        },
        {
          "name": "FEDORA-2022-19a9053f17",
          "tags": [
            "vendor-advisory",
            "x_refsource_FEDORA"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QWP6UBFA5T6MOQPY2VDUG5YAJBFPYRFF/"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "value": "To remediate this vulnerability, apply the updates"
        }
      ],
      "source": {
        "discovery": "INTERNAL"
      },
      "title": "Reflected XSS in item configuration window of Zabbix Frontend",
      "workarounds": [
        {
          "lang": "en",
          "value": "No workaround"
        }
      ],
      "x_generator": {
        "engine": "Vulnogram 0.0.9"
      },
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "AKA": "ZBV-2022-01-3",
          "ASSIGNER": "security@zabbix.com",
          "DATE_PUBLIC": "2022-02-01T08:05:00.000Z",
          "ID": "CVE-2022-24918",
          "STATE": "PUBLIC",
          "TITLE": "Reflected XSS in item configuration window of Zabbix Frontend"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Frontend",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "=",
                            "version_value": "5.0.0-5.0.20"
                          },
                          {
                            "version_affected": "=",
                            "version_value": "5.4.0-5.4.10"
                          },
                          {
                            "version_affected": "=",
                            "version_value": "6.0"
                          },
                          {
                            "version_affected": "!\u003e=",
                            "version_value": "5.0.21rc1"
                          },
                          {
                            "version_affected": "!\u003e=",
                            "version_value": "5.4.11rc1"
                          },
                          {
                            "version_affected": "!\u003e=",
                            "version_value": "6.0.1rc1"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Zabbix"
              }
            ]
          }
        },
        "credit": [
          {
            "lang": "eng",
            "value": "internal research"
          }
        ],
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "An authenticated user can create a link with reflected Javascript code inside it for items\u2019 page and send it to other users. The payload can be executed only with a known CSRF token value of the victim, which is changed periodically and is difficult to predict. Malicious code has access to all the same objects as the rest of the web page and can make arbitrary modifications to the contents of the page being displayed to a victim during social engineering attacks."
            }
          ]
        },
        "generator": {
          "engine": "Vulnogram 0.0.9"
        },
        "impact": {
          "cvss": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 3.7,
            "baseSeverity": "LOW",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N",
            "version": "3.1"
          }
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-79 Cross-site Scripting (XSS)"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://support.zabbix.com/browse/ZBX-20680",
              "refsource": "MISC",
              "url": "https://support.zabbix.com/browse/ZBX-20680"
            },
            {
              "name": "FEDORA-2022-5fab125c08",
              "refsource": "FEDORA",
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2V4N22R3QVTYAJMWFK2U2O6QXAZYM35Z/"
            },
            {
              "name": "FEDORA-2022-d714c0d39c",
              "refsource": "FEDORA",
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SWDZONUHDYKBXTAIAGHSYQDEGORD2QT7/"
            },
            {
              "name": "FEDORA-2022-19a9053f17",
              "refsource": "FEDORA",
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QWP6UBFA5T6MOQPY2VDUG5YAJBFPYRFF/"
            }
          ]
        },
        "solution": [
          {
            "lang": "en",
            "value": "To remediate this vulnerability, apply the updates"
          }
        ],
        "source": {
          "discovery": "INTERNAL"
        },
        "work_around": [
          {
            "lang": "en",
            "value": "No workaround"
          }
        ]
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "72de3e22-0555-4a0d-ae81-9249e0f0a1e8",
    "assignerShortName": "Zabbix",
    "cveId": "CVE-2022-24918",
    "datePublished": "2022-03-09T19:30:29.711512Z",
    "dateReserved": "2022-02-10T00:00:00",
    "dateUpdated": "2024-09-16T18:44:15.093Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2022-24349 (GCVE-0-2022-24349)

Vulnerability from cvelistv5

Published

2022-03-09 19:30

Modified

2024-09-16 18:45

Severity ?

4.6 (Medium) - CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:L

CWE

CWE-79 - Cross-site Scripting (XSS)

Summary

An authenticated user can create a link with reflected XSS payload for actions’ pages, and send it to other users. Malicious code has access to all the same objects as the rest of the web page and can make arbitrary modifications to the contents of the page being displayed to a victim. This attack can be implemented with the help of social engineering and expiration of a number of factors - an attacker should have authorized access to the Zabbix Frontend and allowed network connection between a malicious server and victim’s computer, understand attacked infrastructure, be recognized by the victim as a trustee and use trusted communication channel.

References

►

URL

Tags

	https://support.zabbix.com/browse/ZBX-20680
	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2V4N22R3QVTYAJMWFK2U2O6QXAZYM35Z/	vendor-advisory
	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SWDZONUHDYKBXTAIAGHSYQDEGORD2QT7/	vendor-advisory
	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QWP6UBFA5T6MOQPY2VDUG5YAJBFPYRFF/	vendor-advisory
	https://lists.debian.org/debian-lts-announce/2022/04/msg00011.html	mailing-list
	https://lists.debian.org/debian-lts-announce/2023/04/msg00013.html	mailing-list

Impacted products

	Vendor	Product	Version
	Zabbix	Frontend	Version: 4.0.0-4.0.38 Version: 5.0.0-5.0.20 Version: 5.4.0-5.4.10 Version: 6.0 Patch: 4.0.39rc1 < unspecified Patch: 5.0.21rc1 < unspecified Patch: 5.4.11rc1 < unspecified Patch: 6.0.1rc1 < unspecified

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T04:07:02.563Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://support.zabbix.com/browse/ZBX-20680"
          },
          {
            "name": "FEDORA-2022-5fab125c08",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2V4N22R3QVTYAJMWFK2U2O6QXAZYM35Z/"
          },
          {
            "name": "FEDORA-2022-d714c0d39c",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SWDZONUHDYKBXTAIAGHSYQDEGORD2QT7/"
          },
          {
            "name": "FEDORA-2022-19a9053f17",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QWP6UBFA5T6MOQPY2VDUG5YAJBFPYRFF/"
          },
          {
            "name": "[debian-lts-announce] 20220412 [SECURITY] [DLA 2980-1] zabbix security update",
            "tags": [
              "mailing-list",
              "x_transferred"
            ],
            "url": "https://lists.debian.org/debian-lts-announce/2022/04/msg00011.html"
          },
          {
            "name": "[debian-lts-announce] 20230412 [SECURITY] [DLA 3390-1] zabbix security update",
            "tags": [
              "mailing-list",
              "x_transferred"
            ],
            "url": "https://lists.debian.org/debian-lts-announce/2023/04/msg00013.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Frontend",
          "vendor": "Zabbix",
          "versions": [
            {
              "status": "affected",
              "version": "4.0.0-4.0.38"
            },
            {
              "status": "affected",
              "version": "5.0.0-5.0.20"
            },
            {
              "status": "affected",
              "version": "5.4.0-5.4.10"
            },
            {
              "status": "affected",
              "version": "6.0"
            },
            {
              "lessThan": "unspecified",
              "status": "unaffected",
              "version": "4.0.39rc1",
              "versionType": "custom"
            },
            {
              "lessThan": "unspecified",
              "status": "unaffected",
              "version": "5.0.21rc1",
              "versionType": "custom"
            },
            {
              "lessThan": "unspecified",
              "status": "unaffected",
              "version": "5.4.11rc1",
              "versionType": "custom"
            },
            {
              "lessThan": "unspecified",
              "status": "unaffected",
              "version": "6.0.1rc1",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "internal research"
        }
      ],
      "datePublic": "2022-02-01T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "An authenticated user can create a link with reflected XSS payload for actions\u2019 pages, and send it to other users. Malicious code has access to all the same objects as the rest of the web page and can make arbitrary modifications to the contents of the page being displayed to a victim. This attack can be implemented with the help of social engineering and expiration of a number of factors - an attacker should have authorized access to the Zabbix Frontend and allowed network connection between a malicious server and victim\u2019s computer, understand attacked infrastructure, be recognized by the victim as a trustee and use trusted communication channel."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 4.6,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:L",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-79",
              "description": "CWE-79 Cross-site Scripting (XSS)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2023-04-12T00:00:00",
        "orgId": "72de3e22-0555-4a0d-ae81-9249e0f0a1e8",
        "shortName": "Zabbix"
      },
      "references": [
        {
          "url": "https://support.zabbix.com/browse/ZBX-20680"
        },
        {
          "name": "FEDORA-2022-5fab125c08",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2V4N22R3QVTYAJMWFK2U2O6QXAZYM35Z/"
        },
        {
          "name": "FEDORA-2022-d714c0d39c",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SWDZONUHDYKBXTAIAGHSYQDEGORD2QT7/"
        },
        {
          "name": "FEDORA-2022-19a9053f17",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QWP6UBFA5T6MOQPY2VDUG5YAJBFPYRFF/"
        },
        {
          "name": "[debian-lts-announce] 20220412 [SECURITY] [DLA 2980-1] zabbix security update",
          "tags": [
            "mailing-list"
          ],
          "url": "https://lists.debian.org/debian-lts-announce/2022/04/msg00011.html"
        },
        {
          "name": "[debian-lts-announce] 20230412 [SECURITY] [DLA 3390-1] zabbix security update",
          "tags": [
            "mailing-list"
          ],
          "url": "https://lists.debian.org/debian-lts-announce/2023/04/msg00013.html"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "value": "To remediate this vulnerability, apply the updates"
        }
      ],
      "source": {
        "discovery": "INTERNAL"
      },
      "title": "Reflected XSS in action configuration window of Zabbix Frontend",
      "workarounds": [
        {
          "lang": "en",
          "value": "The vulnerability can be exploited only by authenticated users. If an immediate update is not possible, review user access rights to your Zabbix Frontend, be attentive to browser warnings and always check any links you can receive via email or other means of communication, which lead to the actionconf.php page of Zabbix Frontend and contain suspicious parameters with special symbols. If you have clicked on the suspicious link, do not fill out the opened form."
        }
      ],
      "x_generator": {
        "engine": "Vulnogram 0.0.9"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "72de3e22-0555-4a0d-ae81-9249e0f0a1e8",
    "assignerShortName": "Zabbix",
    "cveId": "CVE-2022-24349",
    "datePublished": "2022-03-09T19:30:26.724288Z",
    "dateReserved": "2022-02-02T00:00:00",
    "dateUpdated": "2024-09-16T18:45:12.504Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Tags

Taxonomy of the tags.

All sightings related to this event Export sightings related to this event

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted

suse-su-2022:1254-1

Vulnerability from csaf_suse

CVE-2022-24917 (GCVE-0-2022-24917)

Vulnerability from cvelistv5

CVE-2022-24919 (GCVE-0-2022-24919)

Vulnerability from cvelistv5

CVE-2022-24918 (GCVE-0-2022-24918)

Vulnerability from cvelistv5

CVE-2022-24349 (GCVE-0-2022-24349)

Vulnerability from cvelistv5

Tags

Sightings

Nomenclature