CVE-2023-32721 - OpenCVE

A stored XSS has been found in the Zabbix web application in the Maps element if a URL field is set with spaces before URL.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact Low

Integrity Impact High

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Zabbix	Zabbix

Configuration 1 [-]

OR	cpe:2.3:a:zabbix:zabbix::::::::
	cpe:2.3:a:zabbix:zabbix::::::::
	cpe:2.3:a:zabbix:zabbix::::::::
	cpe:2.3:a:zabbix:zabbix::::::::
	cpe:2.3:a:zabbix:zabbix:7.0.0:alpha1::::::
	cpe:2.3:a:zabbix:zabbix:7.0.0:alpha2::::::
	cpe:2.3:a:zabbix:zabbix:7.0.0:alpha3::::::

No data.

References

Link	Providers
https://lists.debian.org/debian-lts-announce/2024/01/msg00012.html
https://support.zabbix.com/browse/ZBX-23389

History

No history.

MITRE

Status: PUBLISHED

Assigner: Zabbix

Published: 2023-10-12T06:04:10.100Z

Updated: 2024-08-02T15:25:36.887Z

Reserved: 2023-05-11T21:25:43.367Z

Link: CVE-2023-32721

Vulnrichment

No data.

NVD

Status : Modified

Published: 2023-10-12T07:15:09.677

Modified: 2024-01-24T22:15:14.463

Link: CVE-2023-32721

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-32721", "assignerOrgId": "72de3e22-0555-4a0d-ae81-9249e0f0a1e8", "state": "PUBLISHED", "assignerShortName": "Zabbix", "dateReserved": "2023-05-11T21:25:43.367Z", "datePublished": "2023-10-12T06:04:10.100Z", "dateUpdated": "2024-08-02T15:25:36.887Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "modules": ["API", "Frontend"], "product": "Zabbix", "repo": "https://git.zabbix.com/", "vendor": "Zabbix", "versions": [{"changes": [{"at": "4.0.48rc1", "status": "unaffected"}], "lessThanOrEqual": "4.0.47", "status": "affected", "version": "4.0.0", "versionType": "git"}, {"changes": [{"at": "5.0.37rc1", "status": "unaffected"}], "lessThanOrEqual": "5.0.36", "status": "affected", "version": "5.0.0", "versionType": "git"}, {"changes": [{"at": "6.0.21rc1", "status": "unaffected"}], "lessThanOrEqual": "6.0.20", "status": "affected", "version": "6.0.0", "versionType": "git"}, {"changes": [{"at": "6.4.6rc1", "status": "unaffected"}], "lessThanOrEqual": "6.4.5", "status": "affected", "version": "6.4.0", "versionType": "git"}, {"changes": [{"at": "7.0.0alpha4", "status": "unaffected"}], "lessThanOrEqual": "7.0.0alpha3", "status": "affected", "version": "7.0.0alpha1", "versionType": "git"}]}], "credits": [{"lang": "en", "type": "reporter", "user": "00000000-0000-4000-9000-000000000000", "value": "This vulnerability is found by Prasetia from HackerOne community."}], "datePublic": "2023-09-11T09:50:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "A stored XSS has been found in the Zabbix web application in the Maps element if a URL field is set with spaces before URL."}], "value": "A stored XSS has been found in the Zabbix web application in the Maps element if a URL field is set with spaces before URL."}], "impacts": [{"capecId": "CAPEC-592", "descriptions": [{"lang": "en", "value": "CAPEC-592 Stored XSS"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.6, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:H/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-20", "description": "CWE-20 Improper Input Validation", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "72de3e22-0555-4a0d-ae81-9249e0f0a1e8", "shortName": "Zabbix", "dateUpdated": "2023-10-12T06:04:10.100Z"}, "references": [{"url": "https://support.zabbix.com/browse/ZBX-23389"}, {"url": "https://lists.debian.org/debian-lts-announce/2024/01/msg00012.html"}], "source": {"discovery": "EXTERNAL"}, "title": "Stored XSS in Maps element", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T15:25:36.887Z"}, "title": "CVE Program Container", "references": [{"url": "https://support.zabbix.com/browse/ZBX-23389", "tags": ["x_transferred"]}, {"url": "https://lists.debian.org/debian-lts-announce/2024/01/msg00012.html", "tags": ["x_transferred"]}]}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:zabbix:zabbix:*:*:*:*:*:*:*:*", "matchCriteriaId": "81B6A997-4187-4D90-98D8-CF4F1186FB0C", "versionEndIncluding": "4.0.47", "versionStartIncluding": "4.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:zabbix:zabbix:*:*:*:*:*:*:*:*", "matchCriteriaId": "9CAED9EA-BFA1-4BCF-8323-97AD46AC28C3", "versionEndIncluding": "5.0.36", "versionStartIncluding": "5.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:zabbix:zabbix:*:*:*:*:*:*:*:*", "matchCriteriaId": "531CCCBF-46AD-4988-8A9D-ED4FD5208C71", "versionEndIncluding": "6.0.20", "versionStartIncluding": "6.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:zabbix:zabbix:*:*:*:*:*:*:*:*", "matchCriteriaId": "868F271E-2595-4D01-BF53-46460F98891A", "versionEndIncluding": "6.4.5", "versionStartIncluding": "6.4.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:zabbix:zabbix:7.0.0:alpha1:*:*:*:*:*:*", "matchCriteriaId": "93EB5757-7F98-4428-9616-C30A647A6612", "vulnerable": true}, {"criteria": "cpe:2.3:a:zabbix:zabbix:7.0.0:alpha2:*:*:*:*:*:*", "matchCriteriaId": "DA00BDB5-433F-44E5-87AC-DA01C64B5DB3", "vulnerable": true}, {"criteria": "cpe:2.3:a:zabbix:zabbix:7.0.0:alpha3:*:*:*:*:*:*", "matchCriteriaId": "98C46C92-9D86-45CD-88FE-DFBB5502BB88", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A stored XSS has been found in the Zabbix web application in the Maps element if a URL field is set with spaces before URL."}, {"lang": "es", "value": "Se ha encontrado Cross-Site Scripting (XSS) almacenado en la aplicaci\u00f3n web Zabbix en el elemento Maps si un campo URL est\u00e1 configurado con espacios antes de la URL."}], "id": "CVE-2023-32721", "lastModified": "2024-01-24T22:15:14.463", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.6, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 4.7, "source": "security@zabbix.com", "type": "Secondary"}]}, "published": "2023-10-12T07:15:09.677", "references": [{"source": "security@zabbix.com", "url": "https://lists.debian.org/debian-lts-announce/2024/01/msg00012.html"}, {"source": "security@zabbix.com", "tags": ["Vendor Advisory"], "url": "https://support.zabbix.com/browse/ZBX-23389"}], "sourceIdentifier": "security@zabbix.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-20"}], "source": "security@zabbix.com", "type": "Secondary"}]}