CVE-2023-32721
📋 TL;DR
CVE-2023-32721 is a stored cross-site scripting (XSS) vulnerability in Zabbix's web application that allows attackers to inject malicious scripts into map URL fields when spaces precede the URL. This affects all Zabbix users with web interface access. Successful exploitation enables attackers to execute arbitrary JavaScript in victims' browsers.
💻 Affected Systems
- Zabbix
📦 What is this software?
Zabbix by Zabbix
Zabbix by Zabbix
Zabbix by Zabbix
Zabbix by Zabbix
Zabbix by Zabbix
Zabbix by Zabbix
Zabbix by Zabbix
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal administrator session cookies, perform actions as authenticated users, redirect users to malicious sites, or compromise the Zabbix server through chained attacks.
Likely Case
Attackers with access to create or modify maps could inject malicious scripts that execute when other users view those maps, potentially leading to session hijacking or credential theft.
If Mitigated
With proper input validation and output encoding, the malicious scripts would be rendered harmless as text rather than executable code.
🎯 Exploit Status
Exploitation requires authenticated access with map editing privileges. The vulnerability is straightforward to exploit once an attacker has the necessary access.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Zabbix 6.0.27, 6.4.10, or 7.0.0alpha1 and later
Vendor Advisory: https://support.zabbix.com/browse/ZBX-23389
Restart Required: Yes
Instructions:
1. Backup your Zabbix configuration and database. 2. Download the patched version from zabbix.com/download. 3. Follow the Zabbix upgrade documentation for your version. 4. Restart Zabbix services after upgrade.
🔧 Temporary Workarounds
Input Validation Filter
allImplement custom input validation to strip or reject URLs with leading spaces in map URL fields
# Requires custom Zabbix frontend modification - not trivial
Restrict Map Editing Permissions
allLimit map creation and modification to only essential administrative users
# Configure in Zabbix web interface: Administration -> User groups -> Permissions
🧯 If You Can't Patch
- Implement strict Content Security Policy (CSP) headers to mitigate XSS impact
- Enable web application firewall (WAF) rules to detect and block XSS payloads in URL parameters
🔍 How to Verify
Check if Vulnerable:
Check Zabbix version via web interface (Administration -> About) or command line: zabbix_server --versionCheck Version:
zabbix_server --version | grep -o '[0-9]\+\.[0-9]\+\.[0-9]\+'Verify Fix Applied:
Verify version is 6.0.27, 6.4.10, or 7.0.0alpha1+. Test by attempting to add spaces before URL in map URL field - should be rejected or sanitized.📡 Detection & Monitoring
Log Indicators:
- Unusual map creation/modification events
- Multiple failed login attempts followed by map edits
- JavaScript payloads in URL parameters in web server logs
Network Indicators:
- Unusual outbound connections from Zabbix server after map views
- Suspicious JavaScript in HTTP requests to map endpoints
SIEM Query:
source="zabbix.log" AND ("map" AND "url" AND ("%20" OR "%09" OR "%0A")) OR ("script" AND "alert" AND "map")