Headline
CVE-2023-29452: [ZBX-22981] Possibility to add html code into Geomap attribution field (CVE-2023-29452)
Currently, Geomap configuration (Administration) allows using HTML in the attribution field.
**Type: ** Defect (Security)
Status: Closed
**Priority: ** Trivial
Resolution: Fixed
Affects Version/s: 6.0.17, 6.4.2, 7.0.0alpha1
Mitre ID
CVE-2023-29452
CVSS score
5.5
Severity
Medium
Summary
Possibility to add html code into Geomap attribution field
Description
Currently, geomap configuration (Administration → General → Geographical maps) allows using HTML in the field “Attribution text” when selected “Other” Tile provider.
Known attack vectors
Information that is inserted into this field “Attribution text” is displayed in a small text box on the map. Malicious code can be entered into field and executed when user views map.
Patch provided
No
Component/s
Frontend
Affected version/s and fix version/s
- Affected: 6.0.17, 6.4.2, 7.0.0alpha1
- Fix: 6.0.18rc1, 6.4.2rc1, 7.0.0alpha1
Fix compatibility tests
-
Resolution
Fixed
Workarounds
None
Acknowledgements
duplicates
ZBX-22720 Remove possibility to add html into Geomap attribution field (CVE-2023-29452)
- Closed