CVE-2022-40626

Reflected XSS in the backurl parameter of Zabbix Frontend

Description

An unauthenticated user can create a link with reflected Javascript code inside the backurl parameter and send it to other authenticated users in order to create a fake account with predefined login, password and role in Zabbix Frontend.

Remediation

Solution:

  • To remediate this vulnerability, apply the updates

Workaround:

  • The vulnerability can be exploited only by authenticated users. If an immediate update is not possible, review user access rights to your Zabbix Frontend, be attentive to browser warnings and always check any links you can receive via email or other means of communication, which lead to Zabbix Frontend and contain suspicious parameters with special symbols.

Category

4.8
CVSS
Severity: Medium
CVSS 3.1 •
EPSS 1.13% Top 25%
Vendor Advisory fedoraproject.org Vendor Advisory zabbix.com
Affected: Zabbix Frontend
Published at:
Updated at:

References

Link Tags
https://support.zabbix.com/browse/ZBX-21350 patch vendor advisory issue tracking
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SPU4RCRYVNVM3SS523UQXE63ATCTEX5G/ vendor advisory

Frequently Asked Questions

What is the severity of CVE-2022-40626?
CVE-2022-40626 has been scored as a medium severity vulnerability.
How to fix CVE-2022-40626?
To fix CVE-2022-40626: To remediate this vulnerability, apply the updates
Is CVE-2022-40626 being actively exploited in the wild?
It is possible that CVE-2022-40626 is being exploited or will be exploited in a near future based on public information. According to its EPSS score, there is a ~1% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2022-40626?
CVE-2022-40626 affects Zabbix Frontend.
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.