Headline
CVE-2023-29454: [ZBX-22985] Persistent XSS in the user form (CVE-2023-29454)
Stored or persistent cross-site scripting (XSS) is a type of XSS where the attacker first sends the payload to the web application, then the application saves the payload (e.g., in a database or server-side text files), and finally, the application unintentionally executes the payload for every victim visiting its web pages.
Mitre ID
CVE-2023-29454
CVSS score
5.4
Severity
Medium
Summary
Persistent XSS in the user form
Description
Stored or persistent cross-site scripting (XSS) is a type of XSS where the attacker first sends the payload to the web application, then the application saves the payload (e.g., in a database or server-side text files), and finally, the application unintentionally executes the payload for every victim visiting its web pages.
Known attack vectors
Vulnerability was found on “Users” section in “Media” tab in “Send to” form field. When new media is created with malicious code included into field “Send to” then it will execute when editing the same media.
Patch provided
No
Component/s
Frontend
Affected version/s and fix version/s
- Affected: 4.0.45, 5.0.33, 6.0.16
- Fix: 4.0.46rc1, 5.0.35rc1, 6.0.18rc1
Fix compatibility tests
Resolution
Fixed
Workarounds
None
Acknowledgements