CVE-2023-29454 - OpenCVE

Stored or persistent cross-site scripting (XSS) is a type of XSS where the attacker first sends the payload to the web application, then the application saves the payload (e.g., in a database or server-side text files), and finally, the application unintentionally executes the payload for every victim visiting its web pages.

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact Low

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Zabbix	Frontend

Configuration 1 [-]

OR	cpe:2.3:a:zabbix:frontend::::::::
	cpe:2.3:a:zabbix:frontend::::::::
	cpe:2.3:a:zabbix:frontend::::::::

No data.

References

Link	Providers
https://lists.debian.org/debian-lts-announce/2023/08/msg00027.html
https://support.zabbix.com/browse/ZBX-22985

History

No history.

MITRE

Status: PUBLISHED

Assigner: Zabbix

Published: 2023-07-13T09:30:27.523Z

Updated: 2024-08-02T14:07:46.221Z

Reserved: 2023-04-06T18:04:44.892Z

Link: CVE-2023-29454

Vulnrichment

No data.

NVD

Status : Modified

Published: 2023-07-13T10:15:09.320

Modified: 2023-08-22T19:16:35.460

Link: CVE-2023-29454

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-29454", "assignerOrgId": "72de3e22-0555-4a0d-ae81-9249e0f0a1e8", "state": "PUBLISHED", "assignerShortName": "Zabbix", "dateReserved": "2023-04-06T18:04:44.892Z", "datePublished": "2023-07-13T09:30:27.523Z", "dateUpdated": "2024-08-02T14:07:46.221Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "affected", "modules": ["Frontend"], "product": "Zabbix", "repo": "https://git.zabbix.com/", "vendor": "Zabbix", "versions": [{"changes": [{"at": "4.0.46rc1", "status": "unaffected"}], "lessThanOrEqual": "4.0.45", "status": "affected", "version": "4.0.0", "versionType": "git"}, {"changes": [{"at": "5.0.35rc1", "status": "unaffected"}], "lessThanOrEqual": "5.0.33", "status": "affected", "version": "5.0.0", "versionType": "git"}, {"changes": [{"at": "6.0.18rc1", "status": "unaffected"}], "lessThanOrEqual": "6.0.16", "status": "affected", "version": "6.0.0", "versionType": "git"}]}], "datePublic": "2023-06-16T10:42:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": " Stored or persistent cross-site scripting (XSS) is a type of XSS where the attacker first sends the payload to the web application, then the application saves the payload (e.g., in a database or server-side text files), and finally, the application unintentionally executes the payload for every victim visiting its web pages."}], "value": " Stored or persistent cross-site scripting (XSS) is a type of XSS where the attacker first sends the payload to the web application, then the application saves the payload (e.g., in a database or server-side text files), and finally, the application unintentionally executes the payload for every victim visiting its web pages."}], "impacts": [{"capecId": "CAPEC-592", "descriptions": [{"lang": "en", "value": "CAPEC-592 Stored XSS"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:L/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-20", "description": "CWE-20 Improper Input Validation", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "72de3e22-0555-4a0d-ae81-9249e0f0a1e8", "shortName": "Zabbix", "dateUpdated": "2023-07-13T09:30:27.523Z"}, "references": [{"url": "https://support.zabbix.com/browse/ZBX-22985"}, {"url": "https://lists.debian.org/debian-lts-announce/2023/08/msg00027.html"}], "source": {"discovery": "UNKNOWN"}, "title": "Persistent XSS in the user form", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T14:07:46.221Z"}, "title": "CVE Program Container", "references": [{"url": "https://support.zabbix.com/browse/ZBX-22985", "tags": ["x_transferred"]}, {"url": "https://lists.debian.org/debian-lts-announce/2023/08/msg00027.html", "tags": ["x_transferred"]}]}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:zabbix:frontend:*:*:*:*:*:*:*:*", "matchCriteriaId": "735143E4-3065-47B9-850B-3B35ED2D5BEF", "versionEndIncluding": "4.0.45", "versionStartIncluding": "4.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:zabbix:frontend:*:*:*:*:*:*:*:*", "matchCriteriaId": "57877BF4-6CA1-4E9A-AF16-DCE2BAA98684", "versionEndIncluding": "5.0.33", "versionStartIncluding": "5.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:zabbix:frontend:*:*:*:*:*:*:*:*", "matchCriteriaId": "F97098D9-FF13-43E6-BB62-ADC1DD1BAC09", "versionEndIncluding": "6.0.16", "versionStartIncluding": "6.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": " Stored or persistent cross-site scripting (XSS) is a type of XSS where the attacker first sends the payload to the web application, then the application saves the payload (e.g., in a database or server-side text files), and finally, the application unintentionally executes the payload for every victim visiting its web pages."}], "id": "CVE-2023-29454", "lastModified": "2023-08-22T19:16:35.460", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 4.2, "source": "security@zabbix.com", "type": "Secondary"}]}, "published": "2023-07-13T10:15:09.320", "references": [{"source": "security@zabbix.com", "url": "https://lists.debian.org/debian-lts-announce/2023/08/msg00027.html"}, {"source": "security@zabbix.com", "tags": ["Vendor Advisory"], "url": "https://support.zabbix.com/browse/ZBX-22985"}], "sourceIdentifier": "security@zabbix.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-20"}], "source": "security@zabbix.com", "type": "Secondary"}]}