CVE-2022-35229

Name	CVE-2022-35229
Description	An authenticated user can create a link with reflected Javascript code inside it for the discovery page and send it to other users. The payload can be executed only with a known CSRF token value of the victim, which is changed periodically and is difficult to predict.
Source	CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
References	DLA-3390-1, DLA-3909-1
Debian Bugs	1014992

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
zabbix (PTS)	jessie, jessie (lts)	1:2.2.23+dfsg-0+deb8u8	fixed
	stretch (security)	1:3.0.32+dfsg-0+deb9u3	fixed
	stretch (lts), stretch	1:3.0.32+dfsg-0+deb9u7	fixed
	buster (security), buster, buster (lts)	1:4.0.4+dfsg-1+deb10u5	fixed
	bullseye	1:5.0.8+dfsg-1	vulnerable
	bullseye (security)	1:5.0.44+dfsg-1+deb11u1	fixed
	bookworm	1:6.0.14+dfsg-1	fixed
	sid, trixie	1:7.0.5+dfsg-1	fixed

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Origin	Debian Bugs
zabbix	source	experimental	1:6.0.6+dfsg-1
zabbix	source	jessie	(not affected)
zabbix	source	stretch	(not affected)
zabbix	source	buster	1:4.0.4+dfsg-1+deb10u1	DLA-3390-1
zabbix	source	bullseye	1:5.0.44+dfsg-1+deb11u1	DLA-3909-1
zabbix	source	(unstable)	1:6.0.7+dfsg-2		1014992

Notes

https://support.zabbix.com/browse/ZBX-21306
Fixed in: https://git.zabbix.com/projects/ZBX/repos/zabbix/commits/b546c3f10ce98b0c914e5fc4114bd43042880c3c (5.0.25rc1)
[stretch] - zabbix <not-affected> (vulnerable code introduced later)
[jessie] - zabbix <not-affected> (vulnerable code introduced later)