CVE-2022-24349
zabbix - security update
4.4
MEDIUM
CVSS 3.1
EPSS 0.85%
描述
An authenticated user can create a link with reflected XSS payload for actions’ pages, and send it to other users. Malicious code has access to all the same objects as the rest of the web page and can make arbitrary modifications to the contents of the page being displayed to a victim. This attack can be implemented with the help of social engineering and expiration of a number of factors - an attacker should have authorized access to the Zabbix Frontend and allowed network connection between a malicious server and victim’s computer, understand attacked infrastructure, be recognized by the victim as a trustee and use trusted communication channel.
如何修補 CVE-2022-24349
要修補 CVE-2022-24349,請將受影響套件升級到下列已修補版本。
- —升級至 1:5.0.44+dfsg-1+deb11u1 或更新版本
- —升級至 1:3.0.32+dfsg-0+deb9u3 或更新版本
CVE-2022-24349 正在被利用嗎?
低 — EPSS 為 0.8%,目前沒有觀察到大規模利用活動。
受影響套件(2)
- from 0, < 1:5.0.44+dfsg-1+deb11u1
- from 0, < 1:3.0.32+dfsg-0+deb9u3
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM4.4 | CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N |