CVE-2022-35229

Reflected XSS in discovery page of Zabbix Frontend

Description

An authenticated user can create a link with reflected Javascript code inside it for the discovery page and send it to other users. The payload can be executed only with a known CSRF token value of the victim, which is changed periodically and is difficult to predict.

Remediation

Solution:

  • To remediate this vulnerability, apply the updates

Workaround:

  • The vulnerability can be exploited only by authenticated users. If an immediate update is not possible, review user access rights to your Zabbix Frontend, be attentive to browser warnings and always check any links you can receive via email or other means of communication, which lead to the discoveryconf.php page of Zabbix Frontend and contain suspicious parameters with special symbols. If you have clicked on the suspicious link, do not fill out the opened form.

Category

3.7
CVSS
Severity: Low
CVSS 3.1 •
CVSS 2.0 •
EPSS 0.44%
Vendor Advisory zabbix.com
Affected: Zabbix Frontend
Published at:
Updated at:

References

Link Tags
https://support.zabbix.com/browse/ZBX-21306 issue tracking patch vendor advisory
https://lists.debian.org/debian-lts-announce/2023/04/msg00013.html mailing list
https://lists.debian.org/debian-lts-announce/2023/08/msg00027.html mailing list

Frequently Asked Questions

What is the severity of CVE-2022-35229?
CVE-2022-35229 has been scored as a low severity vulnerability.
How to fix CVE-2022-35229?
To fix CVE-2022-35229: To remediate this vulnerability, apply the updates
Is CVE-2022-35229 being actively exploited in the wild?
As for now, there are no information to confirm that CVE-2022-35229 is being actively exploited. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2022-35229?
CVE-2022-35229 affects Zabbix Frontend.
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.