After the initial setup process, some steps of setup.php file are reachable not only by super-administrators, but by unauthenticated users as well. Malicious actor can pass step checks and potentially change the configuration of Zabbix Frontend.

According to its self-reported version number, the instance of Zabbix running on the remote host is 5.4.x prior to 5.4.9. It is, therefore, affected by multiple vulnerabilities:

  - In the case of instances where the SAML SSO authentication is enabled (non-default), session data can be modified     by a malicious actor, because a user login stored in the session was not verified. Malicious unauthenticated actor     may exploit this issue to escalate privileges and gain admin access to Zabbix Frontend. To perform the attack,     SAML authentication is required to be enabled and the actor has to know the username of Zabbix user (or use the     guest account, which is disabled by default). (CVE-2022-23131)

  - During Zabbix installation from RPM, DAC_OVERRIDE SELinux capability is in use to access PID files in     [/var/run/zabbix] folder. In this case, Zabbix Proxy or Server processes can bypass file read, write and execute     permissions check on the file system level. (CVE-2022-23132)

  - An authenticated user can create a hosts group from the configuration with XSS payload, which will be available     for other users. (CVE-2022-23133)

  - After the initial setup process, some steps of setup.php file are reachable not only by super-administrators, but     by unauthenticated users as well. Malicious actor can pass step checks and potentially change the configuration of     Zabbix Frontend. (CVE-2022-23134)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote SUSE Linux SUSE15 host has packages installed that are affected by multiple vulnerabilities as referenced in the openSUSE-SU-2022:0036-1 advisory.

  - Zabbix before 3.0.32rc1, 4.x before 4.0.22rc1, 4.1.x through 4.4.x before 4.4.10rc1, and 5.x before     5.0.2rc1 allows stored XSS in the URL Widget. (CVE-2020-15803)

  - In Zabbix from 4.0.x before 4.0.28rc1, 5.0.0alpha1 before 5.0.10rc1, 5.2.x before 5.2.6rc1, and     5.4.0alpha1 before 5.4.0beta2, the CControllerAuthenticationUpdate controller lacks a CSRF protection     mechanism. The code inside this controller calls diableSIDValidation inside the init() method. An attacker     doesn't have to know Zabbix user login credentials, but has to know the correct Zabbix URL and contact     information of an existing user with sufficient privileges. (CVE-2021-27927)

  - After the initial setup process, some steps of setup.php file are reachable not only by super-     administrators, but by unauthenticated users as well. Malicious actor can pass step checks and potentially     change the configuration of Zabbix Frontend. (CVE-2022-23134)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Debian 9 host has packages installed that are affected by a vulnerability as referenced in the dla-2914 advisory.

  - After the initial setup process, some steps of setup.php file are reachable not only by super-     administrators, but by unauthenticated users as well. Malicious actor can pass step checks and potentially     change the configuration of Zabbix Frontend. (CVE-2022-23134)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Severity
158452	Zabbix 5.4.x < 5.4.9 Multiple Vulnerabilities	Nessus	CGI abuses	critical
158130	openSUSE 15 Security Update : zabbix (openSUSE-SU-2022:0036-1)	Nessus	SuSE Local Security Checks	high
157409	Debian DLA-2914-1 : zabbix - LTS security update	Nessus	Debian Local Security Checks	medium

Detections

Analytics

CVE-2022-23134

medium

Tenable Plugins

critical

high

medium