Headline
CVE-2023-32721: [ZBX-23389] Stored XSS in Maps element (CVE-2023-32721)
A stored XSS has been found in the Zabbix web application in the Maps element if a URL field is set with spaces before URL.
Mitre ID
CVE-2023-32721
CVSS score
7.6
https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:H/A:N
Severity
High
Summary
Stored XSS in Maps element
Description
A stored XSS has been found in the Zabbix web application in the Maps element if a URL field.
Known attack vectors
The impact of a successful XSS exploitation varies. In a worst-case scenario, an attacker can execute JavaScript code within the victim’s browser. This opens the door to many scenarios of which the most common are session Hijacking, user Impersonation or client-Side Attacks.
Patch provided
No
Component/s
API, Frontend
Affected version/s and fix version/s
4.0.0 - 4.0.47 / 4.0.48rc1
5.0.0 - 5.0.36 / 5.0.37rc1
6.0.0 - 6.0.20 / 6.0.21rc1
6.4.0 - 6.4.5 / 6.4.6rc1
7.0.0alpha1 - 7.0.0alpha3 / 7.0.0alpha4
Fix compatibility tests
-
Resolution
Fixed
Workarounds
-
Acknowledgements
This vulnerability is reported in HackerOne platform by prasetia