Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CVE-2023-32721 (GCVE-0-2023-32721)
Vulnerability from cvelistv5 – Published: 2023-10-12 06:04 – Updated: 2025-11-03 21:48
VLAI
EPSS
Title
Stored XSS in Maps element
Summary
A stored XSS has been found in the Zabbix web application in the Maps element if a URL field is set with spaces before URL.
Severity
7.6 (High)
CWE
- CWE-20 - Improper Input Validation
Assigner
References
Impacted products
Date Public
2023-09-11 09:50
Credits
This vulnerability is found by Prasetia from HackerOne community.
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T21:48:35.952Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://support.zabbix.com/browse/ZBX-23389"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2024/01/msg00012.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2024/10/msg00000.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"modules": [
"API",
"Frontend"
],
"product": "Zabbix",
"repo": "https://git.zabbix.com/",
"vendor": "Zabbix",
"versions": [
{
"changes": [
{
"at": "4.0.48rc1",
"status": "unaffected"
}
],
"lessThanOrEqual": "4.0.47",
"status": "affected",
"version": "4.0.0",
"versionType": "git"
},
{
"changes": [
{
"at": "5.0.37rc1",
"status": "unaffected"
}
],
"lessThanOrEqual": "5.0.36",
"status": "affected",
"version": "5.0.0",
"versionType": "git"
},
{
"changes": [
{
"at": "6.0.21rc1",
"status": "unaffected"
}
],
"lessThanOrEqual": "6.0.20",
"status": "affected",
"version": "6.0.0",
"versionType": "git"
},
{
"changes": [
{
"at": "6.4.6rc1",
"status": "unaffected"
}
],
"lessThanOrEqual": "6.4.5",
"status": "affected",
"version": "6.4.0",
"versionType": "git"
},
{
"changes": [
{
"at": "7.0.0alpha4",
"status": "unaffected"
}
],
"lessThanOrEqual": "7.0.0alpha3",
"status": "affected",
"version": "7.0.0alpha1",
"versionType": "git"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"user": "00000000-0000-4000-9000-000000000000",
"value": "This vulnerability is found by Prasetia from HackerOne community."
}
],
"datePublic": "2023-09-11T09:50:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "A stored XSS has been found in the Zabbix web application in the Maps element if a URL field is set with spaces before URL."
}
],
"value": "A stored XSS has been found in the Zabbix web application in the Maps element if a URL field is set with spaces before URL."
}
],
"impacts": [
{
"capecId": "CAPEC-592",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-592 Stored XSS"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:H/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20 Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-01-24T22:06:39.320Z",
"orgId": "72de3e22-0555-4a0d-ae81-9249e0f0a1e8",
"shortName": "Zabbix"
},
"references": [
{
"url": "https://support.zabbix.com/browse/ZBX-23389"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2024/01/msg00012.html"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Stored XSS in Maps element",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "72de3e22-0555-4a0d-ae81-9249e0f0a1e8",
"assignerShortName": "Zabbix",
"cveId": "CVE-2023-32721",
"datePublished": "2023-10-12T06:04:10.100Z",
"dateReserved": "2023-05-11T21:25:43.367Z",
"dateUpdated": "2025-11-03T21:48:35.952Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2023-32721",
"date": "2026-06-09",
"epss": "0.00715",
"percentile": "0.72769"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2023-32721\",\"sourceIdentifier\":\"security@zabbix.com\",\"published\":\"2023-10-12T07:15:09.677\",\"lastModified\":\"2025-11-03T22:16:21.797\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"A stored XSS has been found in the Zabbix web application in the Maps element if a URL field is set with spaces before URL.\"},{\"lang\":\"es\",\"value\":\"Se ha encontrado Cross-Site Scripting (XSS) almacenado en la aplicaci\u00f3n web Zabbix en el elemento Maps si un campo URL est\u00e1 configurado con espacios antes de la URL.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security@zabbix.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:H/A:N\",\"baseScore\":7.6,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"REQUIRED\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.3,\"impactScore\":4.7},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N\",\"baseScore\":5.4,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"REQUIRED\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.3,\"impactScore\":2.7}]},\"weaknesses\":[{\"source\":\"security@zabbix.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-20\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-79\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:zabbix:zabbix:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"4.0.0\",\"versionEndIncluding\":\"4.0.47\",\"matchCriteriaId\":\"81B6A997-4187-4D90-98D8-CF4F1186FB0C\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:zabbix:zabbix:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"5.0.0\",\"versionEndIncluding\":\"5.0.36\",\"matchCriteriaId\":\"9CAED9EA-BFA1-4BCF-8323-97AD46AC28C3\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:zabbix:zabbix:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"6.0.0\",\"versionEndIncluding\":\"6.0.20\",\"matchCriteriaId\":\"531CCCBF-46AD-4988-8A9D-ED4FD5208C71\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:zabbix:zabbix:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"6.4.0\",\"versionEndIncluding\":\"6.4.5\",\"matchCriteriaId\":\"868F271E-2595-4D01-BF53-46460F98891A\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:zabbix:zabbix:7.0.0:alpha1:*:*:*:*:*:*\",\"matchCriteriaId\":\"93EB5757-7F98-4428-9616-C30A647A6612\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:zabbix:zabbix:7.0.0:alpha2:*:*:*:*:*:*\",\"matchCriteriaId\":\"DA00BDB5-433F-44E5-87AC-DA01C64B5DB3\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:zabbix:zabbix:7.0.0:alpha3:*:*:*:*:*:*\",\"matchCriteriaId\":\"98C46C92-9D86-45CD-88FE-DFBB5502BB88\"}]}]}],\"references\":[{\"url\":\"https://lists.debian.org/debian-lts-announce/2024/01/msg00012.html\",\"source\":\"security@zabbix.com\"},{\"url\":\"https://support.zabbix.com/browse/ZBX-23389\",\"source\":\"security@zabbix.com\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://lists.debian.org/debian-lts-announce/2024/01/msg00012.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.debian.org/debian-lts-announce/2024/10/msg00000.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://support.zabbix.com/browse/ZBX-23389\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]}]}}"
}
}
Title
Уязвимость интерфейса универсальной системы мониторинга Zabbix, позволяющая нарушителю проводить межсайтовые сценарные атаки
Description
Уязвимость интерфейса универсальной системы мониторинга Zabbix связана с недостаточной проверкой входных данных при обработке поля URL элемента Maps. Эксплуатация уязвимости может позволить нарушителю, действующему удаленно, проводить межсайтовые сценарные атаки
Severity
Vendor
ООО «Ред Софт», ООО «РусБИТех-Астра», АО «НТЦ ИТ РОСА», Zabbix LLC., АО «ИВК», АО "НППКТ"
Software Name
РЕД ОС (запись в едином реестре российских программ №3751), Astra Linux Special Edition (запись в едином реестре российских программ №369), РОСА ХРОМ (запись в едином реестре российских программ №1607), Zabbix, АЛЬТ СП 10, ОСОН ОСнова Оnyx (запись в едином реестре российских программ №5913)
Software Version
7.3 (РЕД ОС), 1.7 (Astra Linux Special Edition), 4.7 (Astra Linux Special Edition), 12.4 (РОСА ХРОМ), от 4.0.0 до 4.0.47 включительно (Zabbix), от 5.0.0 до 5.0.36 включительно (Zabbix), от 6.0.0 до 6.0.20 включительно (Zabbix), от 6.4.0 до 6.4.5 включительно (Zabbix), от 7.0.0alpha1 до 7.0.0alpha3 включительно (Zabbix), - (АЛЬТ СП 10), до 2.11 (ОСОН ОСнова Оnyx)
Possible Mitigations
Использование рекомендаций:
https://support.zabbix.com/browse/ZBX-23389
Для ОС Альт 8 СП (релиз 10): установка обновления из публичного репозитория программного средства
Для РедОС: http://repo.red-soft.ru/redos/7.3c/x86_64/updates/
Для ОСОН ОСнова Оnyx (2.11):
Обновление программного обеспечения zabbix до версии 1:6.0.29+dfsg-1osnova1
Для ОС Astra Linux:
обновить пакет zabbix до 1:6.0.29+dfsg-1+ci202405271621+astra7 или более высокой версии, используя рекомендации производителя: https://wiki.astralinux.ru/astra-linux-se17-bulletin-2024-0830SE17
Для Astra Linux Special Edition 4.7 для архитектуры ARM:
обновить пакет zabbix до 1:6.0.29+dfsg-1+ci202405271621+astra7 или более высокой версии, используя рекомендации производителя: https://wiki.astralinux.ru/astra-linux-se47-bulletin-2024-1031SE47
Для операционной системы РОСА ХРОМ: https://abf.rosa.ru/advisories/ROSA-SA-2024-2539
Reference
https://support.zabbix.com/browse/ZBX-23389
https://vuldb.com/?id.242018
https://altsp.su/obnovleniya-bezopasnosti/
http://repo.red-soft.ru/redos/7.3c/x86_64/updates/
https://поддержка.нппкт.рф/bin/view/ОСнова/Обновления/2.11/
https://wiki.astralinux.ru/astra-linux-se17-bulletin-2024-0830SE17
https://wiki.astralinux.ru/astra-linux-se47-bulletin-2024-1031SE47
https://abf.rosa.ru/advisories/ROSA-SA-2024-2539
CWE
CWE-20, CWE-79
{
"CVSS 2.0": "AV:N/AC:L/Au:S/C:P/I:C/A:N",
"CVSS 3.0": "AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:H/A:N",
"CVSS 4.0": null,
"remediation_\u0418\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440": null,
"remediation_\u041d\u0430\u0438\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u0438\u0435": null,
"\u0412\u0435\u043d\u0434\u043e\u0440 \u041f\u041e": "\u041e\u041e\u041e \u00ab\u0420\u0435\u0434 \u0421\u043e\u0444\u0442\u00bb, \u041e\u041e\u041e \u00ab\u0420\u0443\u0441\u0411\u0418\u0422\u0435\u0445-\u0410\u0441\u0442\u0440\u0430\u00bb, \u0410\u041e \u00ab\u041d\u0422\u0426 \u0418\u0422 \u0420\u041e\u0421\u0410\u00bb, Zabbix LLC., \u0410\u041e \u00ab\u0418\u0412\u041a\u00bb, \u0410\u041e \"\u041d\u041f\u041f\u041a\u0422\"",
"\u0412\u0435\u0440\u0441\u0438\u044f \u041f\u041e": "7.3 (\u0420\u0415\u0414 \u041e\u0421), 1.7 (Astra Linux Special Edition), 4.7 (Astra Linux Special Edition), 12.4 (\u0420\u041e\u0421\u0410 \u0425\u0420\u041e\u041c), \u043e\u0442 4.0.0 \u0434\u043e 4.0.47 \u0432\u043a\u043b\u044e\u0447\u0438\u0442\u0435\u043b\u044c\u043d\u043e (Zabbix), \u043e\u0442 5.0.0 \u0434\u043e 5.0.36 \u0432\u043a\u043b\u044e\u0447\u0438\u0442\u0435\u043b\u044c\u043d\u043e (Zabbix), \u043e\u0442 6.0.0 \u0434\u043e 6.0.20 \u0432\u043a\u043b\u044e\u0447\u0438\u0442\u0435\u043b\u044c\u043d\u043e (Zabbix), \u043e\u0442 6.4.0 \u0434\u043e 6.4.5 \u0432\u043a\u043b\u044e\u0447\u0438\u0442\u0435\u043b\u044c\u043d\u043e (Zabbix), \u043e\u0442 7.0.0alpha1 \u0434\u043e 7.0.0alpha3 \u0432\u043a\u043b\u044e\u0447\u0438\u0442\u0435\u043b\u044c\u043d\u043e (Zabbix), - (\u0410\u041b\u042c\u0422 \u0421\u041f 10), \u0434\u043e 2.11 (\u041e\u0421\u041e\u041d \u041e\u0421\u043d\u043e\u0432\u0430 \u041enyx)",
"\u0412\u043e\u0437\u043c\u043e\u0436\u043d\u044b\u0435 \u043c\u0435\u0440\u044b \u043f\u043e \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u044e": "\u0418\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u043d\u0438\u0435 \u0440\u0435\u043a\u043e\u043c\u0435\u043d\u0434\u0430\u0446\u0438\u0439:\nhttps://support.zabbix.com/browse/ZBX-23389\n\n\u0414\u043b\u044f \u041e\u0421 \u0410\u043b\u044c\u0442 8 \u0421\u041f (\u0440\u0435\u043b\u0438\u0437 10): \u0443\u0441\u0442\u0430\u043d\u043e\u0432\u043a\u0430 \u043e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u044f \u0438\u0437 \u043f\u0443\u0431\u043b\u0438\u0447\u043d\u043e\u0433\u043e \u0440\u0435\u043f\u043e\u0437\u0438\u0442\u043e\u0440\u0438\u044f \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u0441\u0440\u0435\u0434\u0441\u0442\u0432\u0430\n\n\u0414\u043b\u044f \u0420\u0435\u0434\u041e\u0421: http://repo.red-soft.ru/redos/7.3c/x86_64/updates/\n\n\u0414\u043b\u044f \u041e\u0421\u041e\u041d \u041e\u0421\u043d\u043e\u0432\u0430 \u041enyx (2.11):\n\u041e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u0435 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f zabbix \u0434\u043e \u0432\u0435\u0440\u0441\u0438\u0438 1:6.0.29+dfsg-1osnova1\n\n\u0414\u043b\u044f \u041e\u0421 Astra Linux:\n\u043e\u0431\u043d\u043e\u0432\u0438\u0442\u044c \u043f\u0430\u043a\u0435\u0442 zabbix \u0434\u043e 1:6.0.29+dfsg-1+ci202405271621+astra7 \u0438\u043b\u0438 \u0431\u043e\u043b\u0435\u0435 \u0432\u044b\u0441\u043e\u043a\u043e\u0439 \u0432\u0435\u0440\u0441\u0438\u0438, \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u0443\u044f \u0440\u0435\u043a\u043e\u043c\u0435\u043d\u0434\u0430\u0446\u0438\u0438 \u043f\u0440\u043e\u0438\u0437\u0432\u043e\u0434\u0438\u0442\u0435\u043b\u044f: https://wiki.astralinux.ru/astra-linux-se17-bulletin-2024-0830SE17\n\n\u0414\u043b\u044f Astra Linux Special Edition 4.7 \u0434\u043b\u044f \u0430\u0440\u0445\u0438\u0442\u0435\u043a\u0442\u0443\u0440\u044b ARM:\n\u043e\u0431\u043d\u043e\u0432\u0438\u0442\u044c \u043f\u0430\u043a\u0435\u0442 zabbix \u0434\u043e 1:6.0.29+dfsg-1+ci202405271621+astra7 \u0438\u043b\u0438 \u0431\u043e\u043b\u0435\u0435 \u0432\u044b\u0441\u043e\u043a\u043e\u0439 \u0432\u0435\u0440\u0441\u0438\u0438, \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u0443\u044f \u0440\u0435\u043a\u043e\u043c\u0435\u043d\u0434\u0430\u0446\u0438\u0438 \u043f\u0440\u043e\u0438\u0437\u0432\u043e\u0434\u0438\u0442\u0435\u043b\u044f: https://wiki.astralinux.ru/astra-linux-se47-bulletin-2024-1031SE47\n\n\u0414\u043b\u044f \u043e\u043f\u0435\u0440\u0430\u0446\u0438\u043e\u043d\u043d\u043e\u0439 \u0441\u0438\u0441\u0442\u0435\u043c\u044b \u0420\u041e\u0421\u0410 \u0425\u0420\u041e\u041c: https://abf.rosa.ru/advisories/ROSA-SA-2024-2539",
"\u0414\u0430\u0442\u0430 \u0432\u044b\u044f\u0432\u043b\u0435\u043d\u0438\u044f": "11.05.2023",
"\u0414\u0430\u0442\u0430 \u043f\u043e\u0441\u043b\u0435\u0434\u043d\u0435\u0433\u043e \u043e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u044f": "05.03.2025",
"\u0414\u0430\u0442\u0430 \u043f\u0443\u0431\u043b\u0438\u043a\u0430\u0446\u0438\u0438": "17.10.2023",
"\u0418\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440": "BDU:2023-06803",
"\u0418\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440\u044b \u0434\u0440\u0443\u0433\u0438\u0445 \u0441\u0438\u0441\u0442\u0435\u043c \u043e\u043f\u0438\u0441\u0430\u043d\u0438\u0439 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "CVE-2023-32721",
"\u0418\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u044f \u043e\u0431 \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0430",
"\u041a\u043b\u0430\u0441\u0441 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u043a\u043e\u0434\u0430",
"\u041d\u0430\u0437\u0432\u0430\u043d\u0438\u0435 \u041f\u041e": "\u0420\u0415\u0414 \u041e\u0421 (\u0437\u0430\u043f\u0438\u0441\u044c \u0432 \u0435\u0434\u0438\u043d\u043e\u043c \u0440\u0435\u0435\u0441\u0442\u0440\u0435 \u0440\u043e\u0441\u0441\u0438\u0439\u0441\u043a\u0438\u0445 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c \u21163751), Astra Linux Special Edition (\u0437\u0430\u043f\u0438\u0441\u044c \u0432 \u0435\u0434\u0438\u043d\u043e\u043c \u0440\u0435\u0435\u0441\u0442\u0440\u0435 \u0440\u043e\u0441\u0441\u0438\u0439\u0441\u043a\u0438\u0445 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c \u2116369), \u0420\u041e\u0421\u0410 \u0425\u0420\u041e\u041c (\u0437\u0430\u043f\u0438\u0441\u044c \u0432 \u0435\u0434\u0438\u043d\u043e\u043c \u0440\u0435\u0435\u0441\u0442\u0440\u0435 \u0440\u043e\u0441\u0441\u0438\u0439\u0441\u043a\u0438\u0445 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c \u21161607), Zabbix, \u0410\u041b\u042c\u0422 \u0421\u041f 10, \u041e\u0421\u041e\u041d \u041e\u0421\u043d\u043e\u0432\u0430 \u041enyx (\u0437\u0430\u043f\u0438\u0441\u044c \u0432 \u0435\u0434\u0438\u043d\u043e\u043c \u0440\u0435\u0435\u0441\u0442\u0440\u0435 \u0440\u043e\u0441\u0441\u0438\u0439\u0441\u043a\u0438\u0445 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c \u21165913)",
"\u041d\u0430\u0438\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u0438\u0435 \u041e\u0421 \u0438 \u0442\u0438\u043f \u0430\u043f\u043f\u0430\u0440\u0430\u0442\u043d\u043e\u0439 \u043f\u043b\u0430\u0442\u0444\u043e\u0440\u043c\u044b": "\u041e\u041e\u041e \u00ab\u0420\u0435\u0434 \u0421\u043e\u0444\u0442\u00bb \u0420\u0415\u0414 \u041e\u0421 7.3 (\u0437\u0430\u043f\u0438\u0441\u044c \u0432 \u0435\u0434\u0438\u043d\u043e\u043c \u0440\u0435\u0435\u0441\u0442\u0440\u0435 \u0440\u043e\u0441\u0441\u0438\u0439\u0441\u043a\u0438\u0445 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c \u21163751), \u041e\u041e\u041e \u00ab\u0420\u0443\u0441\u0411\u0418\u0422\u0435\u0445-\u0410\u0441\u0442\u0440\u0430\u00bb Astra Linux Special Edition 1.7 (\u0437\u0430\u043f\u0438\u0441\u044c \u0432 \u0435\u0434\u0438\u043d\u043e\u043c \u0440\u0435\u0435\u0441\u0442\u0440\u0435 \u0440\u043e\u0441\u0441\u0438\u0439\u0441\u043a\u0438\u0445 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c \u2116369), \u041e\u041e\u041e \u00ab\u0420\u0443\u0441\u0411\u0418\u0422\u0435\u0445-\u0410\u0441\u0442\u0440\u0430\u00bb Astra Linux Special Edition 4.7 ARM (\u0437\u0430\u043f\u0438\u0441\u044c \u0432 \u0435\u0434\u0438\u043d\u043e\u043c \u0440\u0435\u0435\u0441\u0442\u0440\u0435 \u0440\u043e\u0441\u0441\u0438\u0439\u0441\u043a\u0438\u0445 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c \u2116369), \u0410\u041e \u00ab\u041d\u0422\u0426 \u0418\u0422 \u0420\u041e\u0421\u0410\u00bb \u0420\u041e\u0421\u0410 \u0425\u0420\u041e\u041c 12.4 (\u0437\u0430\u043f\u0438\u0441\u044c \u0432 \u0435\u0434\u0438\u043d\u043e\u043c \u0440\u0435\u0435\u0441\u0442\u0440\u0435 \u0440\u043e\u0441\u0441\u0438\u0439\u0441\u043a\u0438\u0445 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c \u21161607), \u0410\u041e \u00ab\u0418\u0412\u041a\u00bb \u0410\u041b\u042c\u0422 \u0421\u041f 10 - , \u0410\u041e \"\u041d\u041f\u041f\u041a\u0422\" \u041e\u0421\u041e\u041d \u041e\u0421\u043d\u043e\u0432\u0430 \u041enyx \u0434\u043e 2.11 (\u0437\u0430\u043f\u0438\u0441\u044c \u0432 \u0435\u0434\u0438\u043d\u043e\u043c \u0440\u0435\u0435\u0441\u0442\u0440\u0435 \u0440\u043e\u0441\u0441\u0438\u0439\u0441\u043a\u0438\u0445 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c \u21165913)",
"\u041d\u0430\u0438\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u0438\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u0438\u043d\u0442\u0435\u0440\u0444\u0435\u0439\u0441\u0430 \u0443\u043d\u0438\u0432\u0435\u0440\u0441\u0430\u043b\u044c\u043d\u043e\u0439 \u0441\u0438\u0441\u0442\u0435\u043c\u044b \u043c\u043e\u043d\u0438\u0442\u043e\u0440\u0438\u043d\u0433\u0430 Zabbix, \u043f\u043e\u0437\u0432\u043e\u043b\u044f\u044e\u0449\u0430\u044f \u043d\u0430\u0440\u0443\u0448\u0438\u0442\u0435\u043b\u044e \u043f\u0440\u043e\u0432\u043e\u0434\u0438\u0442\u044c \u043c\u0435\u0436\u0441\u0430\u0439\u0442\u043e\u0432\u044b\u0435 \u0441\u0446\u0435\u043d\u0430\u0440\u043d\u044b\u0435 \u0430\u0442\u0430\u043a\u0438",
"\u041d\u0430\u043b\u0438\u0447\u0438\u0435 \u044d\u043a\u0441\u043f\u043b\u043e\u0439\u0442\u0430": "\u0414\u0430\u043d\u043d\u044b\u0435 \u0443\u0442\u043e\u0447\u043d\u044f\u044e\u0442\u0441\u044f",
"\u041e\u043f\u0438\u0441\u0430\u043d\u0438\u0435 \u043e\u0448\u0438\u0431\u043a\u0438 CWE": "\u041d\u0435\u0434\u043e\u0441\u0442\u0430\u0442\u043e\u0447\u043d\u0430\u044f \u043f\u0440\u043e\u0432\u0435\u0440\u043a\u0430 \u0432\u0432\u043e\u0434\u0438\u043c\u044b\u0445 \u0434\u0430\u043d\u043d\u044b\u0445 (CWE-20), \u041d\u0435\u043f\u0440\u0438\u043d\u044f\u0442\u0438\u0435 \u043c\u0435\u0440 \u043f\u043e \u0437\u0430\u0449\u0438\u0442\u0435 \u0441\u0442\u0440\u0443\u043a\u0442\u0443\u0440\u044b \u0432\u0435\u0431-\u0441\u0442\u0440\u0430\u043d\u0438\u0446\u044b (\u0438\u043b\u0438 \\\u00ab\u041c\u0435\u0436\u0441\u0430\u0439\u0442\u043e\u0432\u0430\u044f \u0441\u0446\u0435\u043d\u0430\u0440\u043d\u0430\u044f \u0430\u0442\u0430\u043a\u0430\\\u00bb) (CWE-79)",
"\u041e\u043f\u0438\u0441\u0430\u043d\u0438\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u0438\u043d\u0442\u0435\u0440\u0444\u0435\u0439\u0441\u0430 \u0443\u043d\u0438\u0432\u0435\u0440\u0441\u0430\u043b\u044c\u043d\u043e\u0439 \u0441\u0438\u0441\u0442\u0435\u043c\u044b \u043c\u043e\u043d\u0438\u0442\u043e\u0440\u0438\u043d\u0433\u0430 Zabbix \u0441\u0432\u044f\u0437\u0430\u043d\u0430 \u0441 \u043d\u0435\u0434\u043e\u0441\u0442\u0430\u0442\u043e\u0447\u043d\u043e\u0439 \u043f\u0440\u043e\u0432\u0435\u0440\u043a\u043e\u0439 \u0432\u0445\u043e\u0434\u043d\u044b\u0445 \u0434\u0430\u043d\u043d\u044b\u0445 \u043f\u0440\u0438 \u043e\u0431\u0440\u0430\u0431\u043e\u0442\u043a\u0435 \u043f\u043e\u043b\u044f URL \u044d\u043b\u0435\u043c\u0435\u043d\u0442\u0430 Maps. \u042d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u044f \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438 \u043c\u043e\u0436\u0435\u0442 \u043f\u043e\u0437\u0432\u043e\u043b\u0438\u0442\u044c \u043d\u0430\u0440\u0443\u0448\u0438\u0442\u0435\u043b\u044e, \u0434\u0435\u0439\u0441\u0442\u0432\u0443\u044e\u0449\u0435\u043c\u0443 \u0443\u0434\u0430\u043b\u0435\u043d\u043d\u043e, \u043f\u0440\u043e\u0432\u043e\u0434\u0438\u0442\u044c \u043c\u0435\u0436\u0441\u0430\u0439\u0442\u043e\u0432\u044b\u0435 \u0441\u0446\u0435\u043d\u0430\u0440\u043d\u044b\u0435 \u0430\u0442\u0430\u043a\u0438",
"\u041f\u043e\u0441\u043b\u0435\u0434\u0441\u0442\u0432\u0438\u044f \u044d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u0438 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": null,
"\u041f\u0440\u043e\u0447\u0430\u044f \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u044f": null,
"\u0421\u0432\u044f\u0437\u044c \u0441 \u0438\u043d\u0446\u0438\u0434\u0435\u043d\u0442\u0430\u043c\u0438 \u0418\u0411": "\u0414\u0430\u043d\u043d\u044b\u0435 \u0443\u0442\u043e\u0447\u043d\u044f\u044e\u0442\u0441\u044f",
"\u0421\u043e\u0441\u0442\u043e\u044f\u043d\u0438\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u041e\u043f\u0443\u0431\u043b\u0438\u043a\u043e\u0432\u0430\u043d\u0430",
"\u0421\u043f\u043e\u0441\u043e\u0431 \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u044f": "\u041e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u0435 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f",
"\u0421\u043f\u043e\u0441\u043e\u0431 \u044d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u0438": "\u0418\u043d\u044a\u0435\u043a\u0446\u0438\u044f, \u041c\u0430\u043d\u0438\u043f\u0443\u043b\u0438\u0440\u043e\u0432\u0430\u043d\u0438\u0435 \u0440\u0435\u0441\u0443\u0440\u0441\u0430\u043c\u0438",
"\u0421\u0441\u044b\u043b\u043a\u0438 \u043d\u0430 \u0438\u0441\u0442\u043e\u0447\u043d\u0438\u043a\u0438": "https://support.zabbix.com/browse/ZBX-23389\nhttps://vuldb.com/?id.242018\nhttps://altsp.su/obnovleniya-bezopasnosti/\nhttp://repo.red-soft.ru/redos/7.3c/x86_64/updates/\nhttps://\u043f\u043e\u0434\u0434\u0435\u0440\u0436\u043a\u0430.\u043d\u043f\u043f\u043a\u0442.\u0440\u0444/bin/view/\u041e\u0421\u043d\u043e\u0432\u0430/\u041e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u044f/2.11/\nhttps://wiki.astralinux.ru/astra-linux-se17-bulletin-2024-0830SE17\nhttps://wiki.astralinux.ru/astra-linux-se47-bulletin-2024-1031SE47\nhttps://abf.rosa.ru/advisories/ROSA-SA-2024-2539",
"\u0421\u0442\u0430\u0442\u0443\u0441 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u041f\u043e\u0434\u0442\u0432\u0435\u0440\u0436\u0434\u0435\u043d\u0430 \u043f\u0440\u043e\u0438\u0437\u0432\u043e\u0434\u0438\u0442\u0435\u043b\u0435\u043c",
"\u0422\u0438\u043f \u041f\u041e": "\u041e\u043f\u0435\u0440\u0430\u0446\u0438\u043e\u043d\u043d\u0430\u044f \u0441\u0438\u0441\u0442\u0435\u043c\u0430, \u041f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0435 \u0441\u0440\u0435\u0434\u0441\u0442\u0432\u043e \u0437\u0430\u0449\u0438\u0442\u044b",
"\u0422\u0438\u043f \u043e\u0448\u0438\u0431\u043a\u0438 CWE": "CWE-20, CWE-79",
"\u0423\u0440\u043e\u0432\u0435\u043d\u044c \u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0412\u044b\u0441\u043e\u043a\u0438\u0439 \u0443\u0440\u043e\u0432\u0435\u043d\u044c \u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 (\u0431\u0430\u0437\u043e\u0432\u0430\u044f \u043e\u0446\u0435\u043d\u043a\u0430 CVSS 2.0 \u0441\u043e\u0441\u0442\u0430\u0432\u043b\u044f\u0435\u0442 7,5)\n\u0412\u044b\u0441\u043e\u043a\u0438\u0439 \u0443\u0440\u043e\u0432\u0435\u043d\u044c \u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 (\u0431\u0430\u0437\u043e\u0432\u0430\u044f \u043e\u0446\u0435\u043d\u043a\u0430 CVSS 3.0 \u0441\u043e\u0441\u0442\u0430\u0432\u043b\u044f\u0435\u0442 7,6)"
}
FKIE_CVE-2023-32721
Vulnerability from fkie_nvd - Published: 2023-10-12 07:15 - Updated: 2025-11-03 22:16
Severity
7.6 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:H/A:N
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Summary
A stored XSS has been found in the Zabbix web application in the Maps element if a URL field is set with spaces before URL.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:zabbix:zabbix:*:*:*:*:*:*:*:*",
"matchCriteriaId": "81B6A997-4187-4D90-98D8-CF4F1186FB0C",
"versionEndIncluding": "4.0.47",
"versionStartIncluding": "4.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:zabbix:zabbix:*:*:*:*:*:*:*:*",
"matchCriteriaId": "9CAED9EA-BFA1-4BCF-8323-97AD46AC28C3",
"versionEndIncluding": "5.0.36",
"versionStartIncluding": "5.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:zabbix:zabbix:*:*:*:*:*:*:*:*",
"matchCriteriaId": "531CCCBF-46AD-4988-8A9D-ED4FD5208C71",
"versionEndIncluding": "6.0.20",
"versionStartIncluding": "6.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:zabbix:zabbix:*:*:*:*:*:*:*:*",
"matchCriteriaId": "868F271E-2595-4D01-BF53-46460F98891A",
"versionEndIncluding": "6.4.5",
"versionStartIncluding": "6.4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:zabbix:zabbix:7.0.0:alpha1:*:*:*:*:*:*",
"matchCriteriaId": "93EB5757-7F98-4428-9616-C30A647A6612",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:zabbix:zabbix:7.0.0:alpha2:*:*:*:*:*:*",
"matchCriteriaId": "DA00BDB5-433F-44E5-87AC-DA01C64B5DB3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:zabbix:zabbix:7.0.0:alpha3:*:*:*:*:*:*",
"matchCriteriaId": "98C46C92-9D86-45CD-88FE-DFBB5502BB88",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A stored XSS has been found in the Zabbix web application in the Maps element if a URL field is set with spaces before URL."
},
{
"lang": "es",
"value": "Se ha encontrado Cross-Site Scripting (XSS) almacenado en la aplicaci\u00f3n web Zabbix en el elemento Maps si un campo URL est\u00e1 configurado con espacios antes de la URL."
}
],
"id": "CVE-2023-32721",
"lastModified": "2025-11-03T22:16:21.797",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 4.7,
"source": "security@zabbix.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-10-12T07:15:09.677",
"references": [
{
"source": "security@zabbix.com",
"url": "https://lists.debian.org/debian-lts-announce/2024/01/msg00012.html"
},
{
"source": "security@zabbix.com",
"tags": [
"Vendor Advisory"
],
"url": "https://support.zabbix.com/browse/ZBX-23389"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.debian.org/debian-lts-announce/2024/01/msg00012.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.debian.org/debian-lts-announce/2024/10/msg00000.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://support.zabbix.com/browse/ZBX-23389"
}
],
"sourceIdentifier": "security@zabbix.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-20"
}
],
"source": "security@zabbix.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
GHSA-9GFH-WPPM-MM59
Vulnerability from github – Published: 2023-10-12 09:30 – Updated: 2025-11-04 00:30
VLAI
Details
A stored XSS has been found in the Zabbix web application in the Maps element if a URL field is set with spaces before URL.
Severity
7.6 (High)
{
"affected": [],
"aliases": [
"CVE-2023-32721"
],
"database_specific": {
"cwe_ids": [
"CWE-20",
"CWE-79"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-10-12T07:15:09Z",
"severity": "MODERATE"
},
"details": "A stored XSS has been found in the Zabbix web application in the Maps element if a URL field is set with spaces before URL.",
"id": "GHSA-9gfh-wppm-mm59",
"modified": "2025-11-04T00:30:39Z",
"published": "2023-10-12T09:30:26Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-32721"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2024/01/msg00012.html"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2024/10/msg00000.html"
},
{
"type": "WEB",
"url": "https://support.zabbix.com/browse/ZBX-23389"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GSD-2023-32721
Vulnerability from gsd - Updated: 2023-12-13 01:20Details
A stored XSS has been found in the Zabbix web application in the Maps element if a URL field is set with spaces before URL.
Aliases
Aliases
{
"GSD": {
"alias": "CVE-2023-32721",
"id": "GSD-2023-32721"
},
"gsd": {
"metadata": {
"exploitCode": "unknown",
"remediation": "unknown",
"reportConfidence": "confirmed",
"type": "vulnerability"
},
"osvSchema": {
"aliases": [
"CVE-2023-32721"
],
"details": "A stored XSS has been found in the Zabbix web application in the Maps element if a URL field is set with spaces before URL.",
"id": "GSD-2023-32721",
"modified": "2023-12-13T01:20:23.538468Z",
"schema_version": "1.4.0"
}
},
"namespaces": {
"cve.org": {
"CVE_data_meta": {
"ASSIGNER": "security@zabbix.com",
"ID": "CVE-2023-32721",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Zabbix",
"version": {
"version_data": [
{
"version_value": "not down converted",
"x_cve_json_5_version_data": {
"defaultStatus": "unaffected",
"versions": [
{
"changes": [
{
"at": "4.0.48rc1",
"status": "unaffected"
}
],
"lessThanOrEqual": "4.0.47",
"status": "affected",
"version": "4.0.0",
"versionType": "git"
},
{
"changes": [
{
"at": "5.0.37rc1",
"status": "unaffected"
}
],
"lessThanOrEqual": "5.0.36",
"status": "affected",
"version": "5.0.0",
"versionType": "git"
},
{
"changes": [
{
"at": "6.0.21rc1",
"status": "unaffected"
}
],
"lessThanOrEqual": "6.0.20",
"status": "affected",
"version": "6.0.0",
"versionType": "git"
},
{
"changes": [
{
"at": "6.4.6rc1",
"status": "unaffected"
}
],
"lessThanOrEqual": "6.4.5",
"status": "affected",
"version": "6.4.0",
"versionType": "git"
},
{
"changes": [
{
"at": "7.0.0alpha4",
"status": "unaffected"
}
],
"lessThanOrEqual": "7.0.0alpha3",
"status": "affected",
"version": "7.0.0alpha1",
"versionType": "git"
}
]
}
}
]
}
}
]
},
"vendor_name": "Zabbix"
}
]
}
},
"credits": [
{
"lang": "en",
"value": "This vulnerability is found by Prasetia from HackerOne community."
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A stored XSS has been found in the Zabbix web application in the Maps element if a URL field is set with spaces before URL."
}
]
},
"generator": {
"engine": "Vulnogram 0.1.0-dev"
},
"impact": {
"cvss": [
{
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:H/A:N",
"version": "3.1"
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"cweId": "CWE-20",
"lang": "eng",
"value": "CWE-20 Improper Input Validation"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://support.zabbix.com/browse/ZBX-23389",
"refsource": "MISC",
"url": "https://support.zabbix.com/browse/ZBX-23389"
},
{
"name": "https://lists.debian.org/debian-lts-announce/2024/01/msg00012.html",
"refsource": "MISC",
"url": "https://lists.debian.org/debian-lts-announce/2024/01/msg00012.html"
}
]
},
"source": {
"discovery": "EXTERNAL"
}
},
"nvd.nist.gov": {
"cve": {
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:zabbix:zabbix:*:*:*:*:*:*:*:*",
"matchCriteriaId": "81B6A997-4187-4D90-98D8-CF4F1186FB0C",
"versionEndIncluding": "4.0.47",
"versionStartIncluding": "4.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:zabbix:zabbix:*:*:*:*:*:*:*:*",
"matchCriteriaId": "9CAED9EA-BFA1-4BCF-8323-97AD46AC28C3",
"versionEndIncluding": "5.0.36",
"versionStartIncluding": "5.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:zabbix:zabbix:*:*:*:*:*:*:*:*",
"matchCriteriaId": "531CCCBF-46AD-4988-8A9D-ED4FD5208C71",
"versionEndIncluding": "6.0.20",
"versionStartIncluding": "6.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:zabbix:zabbix:*:*:*:*:*:*:*:*",
"matchCriteriaId": "868F271E-2595-4D01-BF53-46460F98891A",
"versionEndIncluding": "6.4.5",
"versionStartIncluding": "6.4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:zabbix:zabbix:7.0.0:alpha1:*:*:*:*:*:*",
"matchCriteriaId": "93EB5757-7F98-4428-9616-C30A647A6612",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:zabbix:zabbix:7.0.0:alpha2:*:*:*:*:*:*",
"matchCriteriaId": "DA00BDB5-433F-44E5-87AC-DA01C64B5DB3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:zabbix:zabbix:7.0.0:alpha3:*:*:*:*:*:*",
"matchCriteriaId": "98C46C92-9D86-45CD-88FE-DFBB5502BB88",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A stored XSS has been found in the Zabbix web application in the Maps element if a URL field is set with spaces before URL."
},
{
"lang": "es",
"value": "Se ha encontrado Cross-Site Scripting (XSS) almacenado en la aplicaci\u00f3n web Zabbix en el elemento Maps si un campo URL est\u00e1 configurado con espacios antes de la URL."
}
],
"id": "CVE-2023-32721",
"lastModified": "2024-01-24T22:15:14.463",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 4.7,
"source": "security@zabbix.com",
"type": "Secondary"
}
]
},
"published": "2023-10-12T07:15:09.677",
"references": [
{
"source": "security@zabbix.com",
"url": "https://lists.debian.org/debian-lts-announce/2024/01/msg00012.html"
},
{
"source": "security@zabbix.com",
"tags": [
"Vendor Advisory"
],
"url": "https://support.zabbix.com/browse/ZBX-23389"
}
],
"sourceIdentifier": "security@zabbix.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-20"
}
],
"source": "security@zabbix.com",
"type": "Secondary"
}
]
}
}
}
}
WID-SEC-W-2023-2638
Vulnerability from csaf_certbund - Published: 2023-10-11 22:00 - Updated: 2024-10-03 22:00Summary
Zabbix: Mehrere Schwachstellen
Severity
Hoch
Notes
Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.
Produktbeschreibung: Zabbix ist ein Open-Source Netzwerk-Monitoringsystem.
Angriff: Ein entfernter Angreifer kann mehrere Schwachstellen in Zabbix ausnutzen, um beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, Dateien zu manipulieren oder einen Cross-Site-Scripting-Angriff durchzuführen.
Betroffene Betriebssysteme: - Linux
- UNIX
- Windows
Es besteht eine Schwachstelle in Zabbix. Dieser Fehler existiert im Agent 2-Paket, da es mit der von CVE-2023-24538 betroffenen Go-Version gebaut wurde. Go-Schablonen behandeln Backticks (`) in JavaScript-Schablonenliteralen nicht wie erwartet, was die Einschleusung von beliebigem JavaScript-Code in die Go-Schablonen ermöglicht. Ein entfernter, anonymer Angreifer kann diese Schwachstelle zur Ausführung von beliebigem Code ausnutzen.
Affected products
Known affected
8 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Debian Linux
Debian
|
cpe:/o:debian:debian_linux:-
|
— | |
|
Zabbix Zabbix <4.4.8rc1
Zabbix / Zabbix
|
<4.4.8rc1 | ||
|
Zabbix Zabbix <5.0.0alpha4
Zabbix / Zabbix
|
<5.0.0alpha4 | ||
|
Zabbix Zabbix <4.0.20rc1
Zabbix / Zabbix
|
<4.0.20rc1 | ||
|
Zabbix Zabbix <6.0.18
Zabbix / Zabbix
|
<6.0.18 | ||
|
Zabbix Zabbix <5.0.35
Zabbix / Zabbix
|
<5.0.35 | ||
|
Zabbix Zabbix <4.0.48rc1
Zabbix / Zabbix
|
<4.0.48rc1 | ||
|
Zabbix Zabbix <6.4.3
Zabbix / Zabbix
|
<6.4.3 |
In Zabbix existiert eine Cross-Site Scripting Schwachstelle. HTML und Script-Eingaben werden in Maps element nicht ordnungsgemäß überprüft, bevor sie an den Benutzer zurückgegeben werden. Ein entfernter, authentisierter Angreifer kann durch Ausnutzung dieser Schwachstelle beliebigen HTML- und Script-Code durch den Browser des Benutzers im Kontext der betroffenen Seite ausführen. Zur erfolgreichen Ausnutzung ist eine Benutzeraktion erforderlich.
Affected products
Known affected
12 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Zabbix Zabbix <6.0.21rc1
Zabbix / Zabbix
|
<6.0.21rc1 | ||
|
Zabbix Zabbix <5.0.37rc1
Zabbix / Zabbix
|
<5.0.37rc1 | ||
|
Zabbix Zabbix <7.0.0alpha4
Zabbix / Zabbix
|
<7.0.0alpha4 | ||
|
Zabbix Zabbix <6.4.6rc1
Zabbix / Zabbix
|
<6.4.6rc1 | ||
|
Debian Linux
Debian
|
cpe:/o:debian:debian_linux:-
|
— | |
|
Zabbix Zabbix <4.4.8rc1
Zabbix / Zabbix
|
<4.4.8rc1 | ||
|
Zabbix Zabbix <5.0.0alpha4
Zabbix / Zabbix
|
<5.0.0alpha4 | ||
|
Zabbix Zabbix <4.0.20rc1
Zabbix / Zabbix
|
<4.0.20rc1 | ||
|
Zabbix Zabbix <6.0.18
Zabbix / Zabbix
|
<6.0.18 | ||
|
Zabbix Zabbix <5.0.35
Zabbix / Zabbix
|
<5.0.35 | ||
|
Zabbix Zabbix <4.0.48rc1
Zabbix / Zabbix
|
<4.0.48rc1 | ||
|
Zabbix Zabbix <6.4.3
Zabbix / Zabbix
|
<6.4.3 |
Es besteht eine Schwachstelle in Zabbix. Dieser Fehler existiert im "zabbix/src/libs/zbxjson" Modul aufgrund eines stapelbasierten Pufferüberlaufs beim Parsen von json-Dateien über "zbx_json_open". Ein entfernter, authentifizierter Angreifer kann diese Schwachstelle zur Ausführung von beliebigem Code ausnutzen. Eine erfolgreiche Ausnutzung erfordert eine Benutzerinteraktion.
Affected products
Known affected
12 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Zabbix Zabbix <6.0.21rc1
Zabbix / Zabbix
|
<6.0.21rc1 | ||
|
Zabbix Zabbix <5.0.37rc1
Zabbix / Zabbix
|
<5.0.37rc1 | ||
|
Zabbix Zabbix <7.0.0alpha4
Zabbix / Zabbix
|
<7.0.0alpha4 | ||
|
Zabbix Zabbix <6.4.6rc1
Zabbix / Zabbix
|
<6.4.6rc1 | ||
|
Debian Linux
Debian
|
cpe:/o:debian:debian_linux:-
|
— | |
|
Zabbix Zabbix <4.4.8rc1
Zabbix / Zabbix
|
<4.4.8rc1 | ||
|
Zabbix Zabbix <5.0.0alpha4
Zabbix / Zabbix
|
<5.0.0alpha4 | ||
|
Zabbix Zabbix <4.0.20rc1
Zabbix / Zabbix
|
<4.0.20rc1 | ||
|
Zabbix Zabbix <6.0.18
Zabbix / Zabbix
|
<6.0.18 | ||
|
Zabbix Zabbix <5.0.35
Zabbix / Zabbix
|
<5.0.35 | ||
|
Zabbix Zabbix <4.0.48rc1
Zabbix / Zabbix
|
<4.0.48rc1 | ||
|
Zabbix Zabbix <6.4.3
Zabbix / Zabbix
|
<6.4.3 |
Es besteht eine Schwachstelle in Zabbix. Dieser Fehler besteht in der Klasse "CControllerAuthenticationUpdate" aufgrund einer ineffizienten Überprüfung der Benutzerrechte, bei der die Anfrage an den LDAP gesendet wird, bevor die Benutzerrechte überprüft werden. Ein entfernter, authentifizierter Angreifer kann diese Schwachstelle ausnutzen, um Dateien zu manipulieren.
Affected products
Known affected
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Debian Linux
Debian
|
cpe:/o:debian:debian_linux:-
|
— | |
|
Zabbix Zabbix <4.4.8rc1
Zabbix / Zabbix
|
<4.4.8rc1 | ||
|
Zabbix Zabbix <5.0.0alpha4
Zabbix / Zabbix
|
<5.0.0alpha4 | ||
|
Zabbix Zabbix <4.0.20rc1
Zabbix / Zabbix
|
<4.0.20rc1 |
Es besteht eine Schwachstelle in Zabbix bezüglich der JS-Engine. Zabbix-Benutzer können direkt auf Speicherzeiger zugreifen und diese modifizieren. Ein entfernter, authentifizierter Angreifer kann diese Schwachstelle ausnutzen, um Sicherheitsmaßnahmen zu umgehen.
Affected products
Known affected
12 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Zabbix Zabbix <6.0.21rc1
Zabbix / Zabbix
|
<6.0.21rc1 | ||
|
Zabbix Zabbix <5.0.37rc1
Zabbix / Zabbix
|
<5.0.37rc1 | ||
|
Zabbix Zabbix <7.0.0alpha4
Zabbix / Zabbix
|
<7.0.0alpha4 | ||
|
Zabbix Zabbix <6.4.6rc1
Zabbix / Zabbix
|
<6.4.6rc1 | ||
|
Debian Linux
Debian
|
cpe:/o:debian:debian_linux:-
|
— | |
|
Zabbix Zabbix <4.4.8rc1
Zabbix / Zabbix
|
<4.4.8rc1 | ||
|
Zabbix Zabbix <5.0.0alpha4
Zabbix / Zabbix
|
<5.0.0alpha4 | ||
|
Zabbix Zabbix <4.0.20rc1
Zabbix / Zabbix
|
<4.0.20rc1 | ||
|
Zabbix Zabbix <6.0.18
Zabbix / Zabbix
|
<6.0.18 | ||
|
Zabbix Zabbix <5.0.35
Zabbix / Zabbix
|
<5.0.35 | ||
|
Zabbix Zabbix <4.0.48rc1
Zabbix / Zabbix
|
<4.0.48rc1 | ||
|
Zabbix Zabbix <6.4.3
Zabbix / Zabbix
|
<6.4.3 |
References
9 references
{
"document": {
"aggregate_severity": {
"text": "hoch"
},
"category": "csaf_base",
"csaf_version": "2.0",
"distribution": {
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "de-DE",
"notes": [
{
"category": "legal_disclaimer",
"text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
},
{
"category": "description",
"text": "Zabbix ist ein Open-Source Netzwerk-Monitoringsystem.",
"title": "Produktbeschreibung"
},
{
"category": "summary",
"text": "Ein entfernter Angreifer kann mehrere Schwachstellen in Zabbix ausnutzen, um beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, Dateien zu manipulieren oder einen Cross-Site-Scripting-Angriff durchzuf\u00fchren.",
"title": "Angriff"
},
{
"category": "general",
"text": "- Linux\n- UNIX\n- Windows",
"title": "Betroffene Betriebssysteme"
}
],
"publisher": {
"category": "other",
"contact_details": "csaf-provider@cert-bund.de",
"name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
"namespace": "https://www.bsi.bund.de"
},
"references": [
{
"category": "self",
"summary": "WID-SEC-W-2023-2638 - CSAF Version",
"url": "https://wid.cert-bund.de/.well-known/csaf/white/2023/wid-sec-w-2023-2638.json"
},
{
"category": "self",
"summary": "WID-SEC-2023-2638 - Portal Version",
"url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2023-2638"
},
{
"category": "external",
"summary": "Debian Security Advisory DLA-3717 vom 2024-01-24",
"url": "https://lists.debian.org/debian-lts-announce/2024/01/msg00012.html"
},
{
"category": "external",
"summary": "ZABBIX BUGS AND ISSUES ZBX-23230 vom 2023-10-11",
"url": "https://support.zabbix.com/browse/ZBX-23230"
},
{
"category": "external",
"summary": "ZABBIX BUGS AND ISSUES ZBX-23388 vom 2023-10-11",
"url": "https://support.zabbix.com/browse/ZBX-23388"
},
{
"category": "external",
"summary": "ZABBIX BUGS AND ISSUES ZBX-23389 vom 2023-10-11",
"url": "https://support.zabbix.com/browse/ZBX-23389"
},
{
"category": "external",
"summary": "ZABBIX BUGS AND ISSUES ZBX-23390 vom 2023-10-11",
"url": "https://support.zabbix.com/browse/ZBX-23390"
},
{
"category": "external",
"summary": "ZABBIX BUGS AND ISSUES ZBX-23391 vom 2023-10-11",
"url": "https://support.zabbix.com/browse/ZBX-23391"
},
{
"category": "external",
"summary": "Debian Security Advisory DLA-3909 vom 2024-10-03",
"url": "https://lists.debian.org/debian-lts-announce/2024/10/msg00000.html"
}
],
"source_lang": "en-US",
"title": "Zabbix: Mehrere Schwachstellen",
"tracking": {
"current_release_date": "2024-10-03T22:00:00.000+00:00",
"generator": {
"date": "2024-10-04T08:13:28.359+00:00",
"engine": {
"name": "BSI-WID",
"version": "1.3.8"
}
},
"id": "WID-SEC-W-2023-2638",
"initial_release_date": "2023-10-11T22:00:00.000+00:00",
"revision_history": [
{
"date": "2023-10-11T22:00:00.000+00:00",
"number": "1",
"summary": "Initiale Fassung"
},
{
"date": "2024-01-24T23:00:00.000+00:00",
"number": "2",
"summary": "Neue Updates von Debian aufgenommen"
},
{
"date": "2024-10-03T22:00:00.000+00:00",
"number": "3",
"summary": "Neue Updates von Debian aufgenommen"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Debian Linux",
"product": {
"name": "Debian Linux",
"product_id": "2951",
"product_identification_helper": {
"cpe": "cpe:/o:debian:debian_linux:-"
}
}
}
],
"category": "vendor",
"name": "Debian"
},
{
"branches": [
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c5.0.0alpha4",
"product": {
"name": "Zabbix Zabbix \u003c5.0.0alpha4",
"product_id": "T030478"
}
},
{
"category": "product_version",
"name": "5.0.0alpha4",
"product": {
"name": "Zabbix Zabbix 5.0.0alpha4",
"product_id": "T030478-fixed",
"product_identification_helper": {
"cpe": "cpe:/a:zabbix:zabbix:5.0.0alpha4"
}
}
},
{
"category": "product_version_range",
"name": "\u003c4.4.8rc1",
"product": {
"name": "Zabbix Zabbix \u003c4.4.8rc1",
"product_id": "T030479"
}
},
{
"category": "product_version",
"name": "4.4.8rc1",
"product": {
"name": "Zabbix Zabbix 4.4.8rc1",
"product_id": "T030479-fixed",
"product_identification_helper": {
"cpe": "cpe:/a:zabbix:zabbix:4.4.8rc1"
}
}
},
{
"category": "product_version_range",
"name": "\u003c4.0.20rc1",
"product": {
"name": "Zabbix Zabbix \u003c4.0.20rc1",
"product_id": "T030480"
}
},
{
"category": "product_version",
"name": "4.0.20rc1",
"product": {
"name": "Zabbix Zabbix 4.0.20rc1",
"product_id": "T030480-fixed",
"product_identification_helper": {
"cpe": "cpe:/a:zabbix:zabbix:4.0.20rc1"
}
}
},
{
"category": "product_version_range",
"name": "\u003c5.0.35",
"product": {
"name": "Zabbix Zabbix \u003c5.0.35",
"product_id": "T030481"
}
},
{
"category": "product_version",
"name": "5.0.35",
"product": {
"name": "Zabbix Zabbix 5.0.35",
"product_id": "T030481-fixed",
"product_identification_helper": {
"cpe": "cpe:/a:zabbix:zabbix:5.0.35"
}
}
},
{
"category": "product_version_range",
"name": "\u003c6.0.18",
"product": {
"name": "Zabbix Zabbix \u003c6.0.18",
"product_id": "T030482"
}
},
{
"category": "product_version",
"name": "6.0.18",
"product": {
"name": "Zabbix Zabbix 6.0.18",
"product_id": "T030482-fixed",
"product_identification_helper": {
"cpe": "cpe:/a:zabbix:zabbix:6.0.18"
}
}
},
{
"category": "product_version_range",
"name": "\u003c6.4.3",
"product": {
"name": "Zabbix Zabbix \u003c6.4.3",
"product_id": "T030483"
}
},
{
"category": "product_version",
"name": "6.4.3",
"product": {
"name": "Zabbix Zabbix 6.4.3",
"product_id": "T030483-fixed",
"product_identification_helper": {
"cpe": "cpe:/a:zabbix:zabbix:6.4.3"
}
}
},
{
"category": "product_version_range",
"name": "\u003c4.0.48rc1",
"product": {
"name": "Zabbix Zabbix \u003c4.0.48rc1",
"product_id": "T030484"
}
},
{
"category": "product_version",
"name": "4.0.48rc1",
"product": {
"name": "Zabbix Zabbix 4.0.48rc1",
"product_id": "T030484-fixed",
"product_identification_helper": {
"cpe": "cpe:/a:zabbix:zabbix:4.0.48rc1"
}
}
},
{
"category": "product_version_range",
"name": "\u003c5.0.37rc1",
"product": {
"name": "Zabbix Zabbix \u003c5.0.37rc1",
"product_id": "T030485"
}
},
{
"category": "product_version",
"name": "5.0.37rc1",
"product": {
"name": "Zabbix Zabbix 5.0.37rc1",
"product_id": "T030485-fixed",
"product_identification_helper": {
"cpe": "cpe:/a:zabbix:zabbix:5.0.37rc1"
}
}
},
{
"category": "product_version_range",
"name": "\u003c6.0.21rc1",
"product": {
"name": "Zabbix Zabbix \u003c6.0.21rc1",
"product_id": "T030486"
}
},
{
"category": "product_version",
"name": "6.0.21rc1",
"product": {
"name": "Zabbix Zabbix 6.0.21rc1",
"product_id": "T030486-fixed",
"product_identification_helper": {
"cpe": "cpe:/a:zabbix:zabbix:6.0.21rc1"
}
}
},
{
"category": "product_version_range",
"name": "\u003c6.4.6rc1",
"product": {
"name": "Zabbix Zabbix \u003c6.4.6rc1",
"product_id": "T030487"
}
},
{
"category": "product_version",
"name": "6.4.6rc1",
"product": {
"name": "Zabbix Zabbix 6.4.6rc1",
"product_id": "T030487-fixed",
"product_identification_helper": {
"cpe": "cpe:/a:zabbix:zabbix:6.4.6rc1"
}
}
},
{
"category": "product_version_range",
"name": "\u003c7.0.0alpha4",
"product": {
"name": "Zabbix Zabbix \u003c7.0.0alpha4",
"product_id": "T030488"
}
},
{
"category": "product_version",
"name": "7.0.0alpha4",
"product": {
"name": "Zabbix Zabbix 7.0.0alpha4",
"product_id": "T030488-fixed",
"product_identification_helper": {
"cpe": "cpe:/a:zabbix:zabbix:7.0.0alpha4"
}
}
}
],
"category": "product_name",
"name": "Zabbix"
}
],
"category": "vendor",
"name": "Zabbix"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2023-29453",
"notes": [
{
"category": "description",
"text": "Es besteht eine Schwachstelle in Zabbix. Dieser Fehler existiert im Agent 2-Paket, da es mit der von CVE-2023-24538 betroffenen Go-Version gebaut wurde. Go-Schablonen behandeln Backticks (`) in JavaScript-Schablonenliteralen nicht wie erwartet, was die Einschleusung von beliebigem JavaScript-Code in die Go-Schablonen erm\u00f6glicht. Ein entfernter, anonymer Angreifer kann diese Schwachstelle zur Ausf\u00fchrung von beliebigem Code ausnutzen."
}
],
"product_status": {
"known_affected": [
"2951",
"T030479",
"T030478",
"T030480",
"T030482",
"T030481",
"T030484",
"T030483"
]
},
"release_date": "2023-10-11T22:00:00.000+00:00",
"title": "CVE-2023-29453"
},
{
"cve": "CVE-2023-32721",
"notes": [
{
"category": "description",
"text": "In Zabbix existiert eine Cross-Site Scripting Schwachstelle. HTML und Script-Eingaben werden in Maps element nicht ordnungsgem\u00e4\u00df \u00fcberpr\u00fcft, bevor sie an den Benutzer zur\u00fcckgegeben werden. Ein entfernter, authentisierter Angreifer kann durch Ausnutzung dieser Schwachstelle beliebigen HTML- und Script-Code durch den Browser des Benutzers im Kontext der betroffenen Seite ausf\u00fchren. Zur erfolgreichen Ausnutzung ist eine Benutzeraktion erforderlich."
}
],
"product_status": {
"known_affected": [
"T030486",
"T030485",
"T030488",
"T030487",
"2951",
"T030479",
"T030478",
"T030480",
"T030482",
"T030481",
"T030484",
"T030483"
]
},
"release_date": "2023-10-11T22:00:00.000+00:00",
"title": "CVE-2023-32721"
},
{
"cve": "CVE-2023-32722",
"notes": [
{
"category": "description",
"text": "Es besteht eine Schwachstelle in Zabbix. Dieser Fehler existiert im \"zabbix/src/libs/zbxjson\" Modul aufgrund eines stapelbasierten Puffer\u00fcberlaufs beim Parsen von json-Dateien \u00fcber \"zbx_json_open\". Ein entfernter, authentifizierter Angreifer kann diese Schwachstelle zur Ausf\u00fchrung von beliebigem Code ausnutzen. Eine erfolgreiche Ausnutzung erfordert eine Benutzerinteraktion."
}
],
"product_status": {
"known_affected": [
"T030486",
"T030485",
"T030488",
"T030487",
"2951",
"T030479",
"T030478",
"T030480",
"T030482",
"T030481",
"T030484",
"T030483"
]
},
"release_date": "2023-10-11T22:00:00.000+00:00",
"title": "CVE-2023-32722"
},
{
"cve": "CVE-2023-32723",
"notes": [
{
"category": "description",
"text": "Es besteht eine Schwachstelle in Zabbix. Dieser Fehler besteht in der Klasse \"CControllerAuthenticationUpdate\" aufgrund einer ineffizienten \u00dcberpr\u00fcfung der Benutzerrechte, bei der die Anfrage an den LDAP gesendet wird, bevor die Benutzerrechte \u00fcberpr\u00fcft werden. Ein entfernter, authentifizierter Angreifer kann diese Schwachstelle ausnutzen, um Dateien zu manipulieren."
}
],
"product_status": {
"known_affected": [
"2951",
"T030479",
"T030478",
"T030480"
]
},
"release_date": "2023-10-11T22:00:00.000+00:00",
"title": "CVE-2023-32723"
},
{
"cve": "CVE-2023-32724",
"notes": [
{
"category": "description",
"text": "Es besteht eine Schwachstelle in Zabbix bez\u00fcglich der JS-Engine. Zabbix-Benutzer k\u00f6nnen direkt auf Speicherzeiger zugreifen und diese modifizieren. Ein entfernter, authentifizierter Angreifer kann diese Schwachstelle ausnutzen, um Sicherheitsma\u00dfnahmen zu umgehen."
}
],
"product_status": {
"known_affected": [
"T030486",
"T030485",
"T030488",
"T030487",
"2951",
"T030479",
"T030478",
"T030480",
"T030482",
"T030481",
"T030484",
"T030483"
]
},
"release_date": "2023-10-11T22:00:00.000+00:00",
"title": "CVE-2023-32724"
}
]
}
Loading…
Trend slope:
-
(linear fit over daily sighting counts)
Show additional events:
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…