CVE-2022-23134

Summary

After the initial setup process, some steps of setup.php file are reachable not only by super-administrators, but by unauthenticated users as well. Malicious actor can pass step checks and potentially change the configuration of Zabbix Frontend.

Affected Software

VendorProductVersion RangeStatus
ZabbixFrontend5.4.0 - 5.4.8affected
ZabbixFrontend5.4.9 < 5.4.9*unaffected

Weaknesses

  • CWE-284: CWE-284 Improper Access Control

Workarounds

If an immediate update is not possible, please remove the setup.php file

ADP Enrichment

CVE Program Container

Additional References

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: active
    • Automatable: no
    • Technical Impact: partial

Additional References

References