CVE-2022-23133 MEDIUM

CVE-2022-23133: Stored XSS in host groups configuration window in Zabbix Frontend

Vendor Zabbix

Product Frontend

Weakness CWE-79 · XSS

Published January 13, 2022

Last update November 3, 2025

View on NVD All CVEs

CVSS base score

6.3/10

Attack vector Network

Attack complexity Low

Privileges required Low

User interaction None

Confidentiality Low

Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

What the vulnerability does

01Description

An authenticated user can create a hosts group from the configuration with XSS payload, which will be available for other users. When XSS is stored by an authenticated malicious actor and other users try to search for groups during new host creation, the XSS payload will fire and the actor can steal session cookies and perform session hijacking to impersonate users or take over their accounts.

Key dates

02Disclosure timeline

January 13, 2022 CVE published

November 3, 2025 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2022-23133

Related vulnerabilities

04Related CVE

CVE-2026-0835 CVE-2026-6619 langgenius dify ImagePreview image-preview.tsx openInNewTab cross site scripting CVE-2025-4682 Essential Blocks – Page Builder Gutenberg Blocks, Patterns & Templates <= 5.4.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Slider and Post Carousel Widgets CVE-2024-8991 OSM <= 6.1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via osm_map and osm_map_v3 Shortcodes CVE-2024-4648 Campcodes Complete Web-Based School Management System student_exam_mark_update_form.php cross site scripting

Identifiers

CVE CVE-2022-23133

CWE CWE-79

CVSS 6.3 / MEDIUM

Affected versions

Vendor Zabbix

Product Frontend

Affected 5.0.0 – 5.0.18

Vendor Zabbix

Product Frontend

Affected 5.4.0 – 5.4.8