CVE-2022-35229

An authenticated user can create a link with reflected Javascript code inside it for the discovery page and send it to other users. The payload can be executed only with a known CSRF token value of the victim, which is changed periodically and is difficult to predict.

CVSS v3 3.7 LOW
CVSS v2.0 3.5 LOW

3.7^/10

CVSS v3 : LOW

V3 Legend

Vector :

Exploitability : 1.2 / Impact : 2.5

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required LOW

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope UNCHANGED

3.5^/10

CVSS v2.0 : LOW

V2 Legend

Vector : AV:N/AC:M/Au:S/C:N/I:P/A:N

Exploitability : 6.8 / Impact : 2.9

Access Vector NETWORK

Access Complexity MEDIUM

Authentication SINGLE

Confidentiality Impact NONE

Integrity Impact PARTIAL

Availability Impact NONE

References

Link	Resource
https://lists.debian.org/debian-lts-announce/2023/04/msg00013.html
https://lists.debian.org/debian-lts-announce/2023/08/msg00027.html
https://support.zabbix.com/browse/ZBX-21306	Issue Tracking Patch Vendor Advisory
https://lists.debian.org/debian-lts-announce/2023/04/msg00013.html
https://lists.debian.org/debian-lts-announce/2023/08/msg00027.html
https://support.zabbix.com/browse/ZBX-21306	Issue Tracking Patch Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:zabbix:zabbix::::::::
	cpe:2.3:a:zabbix:zabbix::::::::
	cpe:2.3:a:zabbix:zabbix::::::::
	cpe:2.3:a:zabbix:zabbix:5.0.25:-::::::

History

21 Nov 2024, 07:10

Type	Values Removed	Values Added
References	~~() https://lists.debian.org/debian-lts-announce/2023/04/msg00013.html -~~	() https://lists.debian.org/debian-lts-announce/2023/04/msg00013.html -
References	~~() https://lists.debian.org/debian-lts-announce/2023/08/msg00027.html -~~	() https://lists.debian.org/debian-lts-announce/2023/08/msg00027.html -
References	~~() https://support.zabbix.com/browse/ZBX-21306 - Issue Tracking, Patch, Vendor Advisory~~	() https://support.zabbix.com/browse/ZBX-21306 - Issue Tracking, Patch, Vendor Advisory
CVSS	v2 : ~~3.5~~ v3 : ~~5.4~~	v2 : 3.5 v3 : 3.7

22 Aug 2023, 19:16

Type	Values Removed	Values Added
References		(MLIST) https://lists.debian.org/debian-lts-announce/2023/08/msg00027.html -

Information

Published : 2022-07-06 11:15

Updated : 2024-11-21 07:10

NVD link : CVE-2022-35229

Mitre link : CVE-2022-35229

CVE.ORG link : CVE-2022-35229

JSON object : View

Products Affected

zabbix

zabbix

CWE

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

3.7 /10

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required LOW

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope UNCHANGED

3.5 /10

Access Vector NETWORK

Access Complexity MEDIUM

Authentication SINGLE

Confidentiality Impact NONE

Integrity Impact PARTIAL

Availability Impact NONE

JSON object

Attach tags to CVE-2022-35229

3.7^/10

3.5^/10

Attach tags to `CVE-2022-35229`