CVE-2022-24349 SUSE CVE security@suse.de SUSE Security Team SUSE CVE-2022-24349 Interim 1 8 2023-02-10T00:32:58Z current 2022-03-11T02:54:50Z 2023-02-10T00:32:58Z cve-database/bin/generate-cvrf-cve.pl 2020-12-27T01:00:00Z CVE-2022-24349 An authenticated user can create a link with reflected XSS payload for actions’ pages, and send it to other users. Malicious code has access to all the same objects as the rest of the web page and can make arbitrary modifications to the contents of the page being displayed to a victim. This attack can be implemented with the help of social engineering and expiration of a number of factors - an attacker should have authorized access to the Zabbix Frontend and allowed network connection between a malicious server and victim’s computer, understand attacked infrastructure, be recognized by the victim as a trustee and use trusted communication channel. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). https://lists.suse.com/pipermail/sle-security-updates/2022-April/010634.html E-Mail link for SUSE-CU-2022:493-1 https://lists.suse.com/pipermail/sle-security-updates/2022-April/010744.html E-Mail link for SUSE-SU-2022:1254-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings HPE Helion OpenStack 8 SUSE Linux Enterprise Server 12 SP3-TERADATA SUSE Linux Enterprise Server 12 SP4-ESPOS SUSE Linux Enterprise Server 12 SP4-LTSS SUSE Linux Enterprise Server 12 SP5 SUSE Linux Enterprise Server for SAP Applications 12 SP4 SUSE Linux Enterprise Server for SAP Applications 12 SP5 SUSE OpenStack Cloud 8 SUSE OpenStack Cloud 9 SUSE OpenStack Cloud Crowbar 8 SUSE OpenStack Cloud Crowbar 9 openSUSE Tumbleweed zabbix zabbix-agent zabbix-agent-4.0.12-4.15.2 zabbix-agent-4.0.39-1.1 zabbix-java-gateway-4.0.39-1.1 zabbix-phpfrontend-4.0.39-1.1 zabbix-proxy-4.0.39-1.1 zabbix-proxy-mysql-4.0.39-1.1 zabbix-proxy-postgresql-4.0.39-1.1 zabbix-proxy-sqlite-4.0.39-1.1 zabbix-server-4.0.39-1.1 zabbix-server-mysql-4.0.39-1.1 zabbix-server-postgresql-4.0.39-1.1 zabbix-agent-4.0.12-4.15.2 as a component of SUSE Linux Enterprise Server 12 SP3-TERADATA zabbix-agent-4.0.12-4.15.2 as a component of SUSE Linux Enterprise Server 12 SP5 zabbix-agent-4.0.12-4.15.2 as a component of SUSE Linux Enterprise Server for SAP Applications 12 SP5 zabbix-agent-4.0.39-1.1 as a component of openSUSE Tumbleweed zabbix-java-gateway-4.0.39-1.1 as a component of openSUSE Tumbleweed zabbix-phpfrontend-4.0.39-1.1 as a component of openSUSE Tumbleweed zabbix-proxy-4.0.39-1.1 as a component of openSUSE Tumbleweed zabbix-proxy-mysql-4.0.39-1.1 as a component of openSUSE Tumbleweed zabbix-proxy-postgresql-4.0.39-1.1 as a component of openSUSE Tumbleweed zabbix-proxy-sqlite-4.0.39-1.1 as a component of openSUSE Tumbleweed zabbix-server-4.0.39-1.1 as a component of openSUSE Tumbleweed zabbix-server-mysql-4.0.39-1.1 as a component of openSUSE Tumbleweed zabbix-server-postgresql-4.0.39-1.1 as a component of openSUSE Tumbleweed zabbix-agent as a component of HPE Helion OpenStack 8 zabbix as a component of HPE Helion OpenStack 8 zabbix-agent as a component of SUSE Linux Enterprise Server 12 SP4-ESPOS zabbix as a component of SUSE Linux Enterprise Server 12 SP4-ESPOS zabbix-agent as a component of SUSE Linux Enterprise Server 12 SP4-LTSS zabbix as a component of SUSE Linux Enterprise Server 12 SP4-LTSS zabbix-agent as a component of SUSE Linux Enterprise Server for SAP Applications 12 SP4 zabbix as a component of SUSE Linux Enterprise Server for SAP Applications 12 SP4 zabbix as a component of SUSE Linux Enterprise Server for SAP Applications 12 SP5 zabbix-agent as a component of SUSE OpenStack Cloud 8 zabbix as a component of SUSE OpenStack Cloud 8 zabbix-agent as a component of SUSE OpenStack Cloud 9 zabbix as a component of SUSE OpenStack Cloud 9 zabbix-agent as a component of SUSE OpenStack Cloud Crowbar 8 zabbix as a component of SUSE OpenStack Cloud Crowbar 8 zabbix-agent as a component of SUSE OpenStack Cloud Crowbar 9 zabbix as a component of SUSE OpenStack Cloud Crowbar 9 An authenticated user can create a link with reflected XSS payload for actions’ pages, and send it to other users. Malicious code has access to all the same objects as the rest of the web page and can make arbitrary modifications to the contents of the page being displayed to a victim. This attack can be implemented with the help of social engineering and expiration of a number of factors - an attacker should have authorized access to the Zabbix Frontend and allowed network connection between a malicious server and victim’s computer, understand attacked infrastructure, be recognized by the victim as a trustee and use trusted communication channel. CVE-2022-24349 SUSE Linux Enterprise Server 12 SP3-TERADATA:zabbix-agent-4.0.12-4.15.2 SUSE Linux Enterprise Server 12 SP5:zabbix-agent-4.0.12-4.15.2 SUSE Linux Enterprise Server for SAP Applications 12 SP5:zabbix-agent-4.0.12-4.15.2 openSUSE Tumbleweed:zabbix-agent-4.0.39-1.1 openSUSE Tumbleweed:zabbix-java-gateway-4.0.39-1.1 openSUSE Tumbleweed:zabbix-phpfrontend-4.0.39-1.1 openSUSE Tumbleweed:zabbix-proxy-4.0.39-1.1 openSUSE Tumbleweed:zabbix-proxy-mysql-4.0.39-1.1 openSUSE Tumbleweed:zabbix-proxy-postgresql-4.0.39-1.1 openSUSE Tumbleweed:zabbix-proxy-sqlite-4.0.39-1.1 openSUSE Tumbleweed:zabbix-server-4.0.39-1.1 openSUSE Tumbleweed:zabbix-server-mysql-4.0.39-1.1 openSUSE Tumbleweed:zabbix-server-postgresql-4.0.39-1.1 HPE Helion OpenStack 8:zabbix HPE Helion OpenStack 8:zabbix-agent SUSE Linux Enterprise Server 12 SP4-ESPOS:zabbix SUSE Linux Enterprise Server 12 SP4-ESPOS:zabbix-agent SUSE Linux Enterprise Server 12 SP4-LTSS:zabbix SUSE Linux Enterprise Server 12 SP4-LTSS:zabbix-agent SUSE Linux Enterprise Server for SAP Applications 12 SP4:zabbix SUSE Linux Enterprise Server for SAP Applications 12 SP4:zabbix-agent SUSE Linux Enterprise Server for SAP Applications 12 SP5:zabbix SUSE OpenStack Cloud 8:zabbix SUSE OpenStack Cloud 8:zabbix-agent SUSE OpenStack Cloud 9:zabbix SUSE OpenStack Cloud 9:zabbix-agent SUSE OpenStack Cloud Crowbar 8:zabbix SUSE OpenStack Cloud Crowbar 8:zabbix-agent SUSE OpenStack Cloud Crowbar 9:zabbix SUSE OpenStack Cloud Crowbar 9:zabbix-agent moderate 2.1 AV:N/AC:H/Au:S/C:N/I:P/A:N 4.6 CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:L