Reflected XSS in graph configuration window of Zabbix Frontend

An authenticated user can create a link with reflected Javascript code inside it for graphs’ page and send it to other users. The payload can be executed only with a known CSRF token value of the victim, which is changed periodically and is difficult to predict. Malicious code has access to all the same objects as the rest of the web page and can make arbitrary modifications to the contents of the page being displayed to a victim during social engineering attacks.

CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N

在Web页面生成时对输入的转义处理不恰当(跨站脚本)

Zabbix Frontend 跨站脚本漏洞

Zabbix Frontend是美国Zabbix公司的一个监控软件前端工具。 Zabbix Frontend 4.0.0至4.0.38版本, 5.0.0至5.0.20版本, 5.4.0至5.4.10版本, 6.0版本存在安全漏洞，该漏洞允许经过身份验证的攻击者为图形页面创建一个带有反射 Javascript 代码的链接，并将其发送给其他受害者。

N/A

N/A