CVE-2024-45699
📋 TL;DR
This CVE describes a reflected Cross-Site Scripting (XSS) vulnerability in Zabbix's /zabbix.php endpoint that allows attackers to inject malicious JavaScript via the backurl parameter. When exploited, this can lead to session hijacking, credential theft, or unauthorized actions within the victim's browser context. Organizations running vulnerable Zabbix versions with the export.valuemaps functionality accessible are affected.
💻 Affected Systems
- Zabbix
📦 What is this software?
Zabbix by Zabbix
Zabbix by Zabbix
Zabbix by Zabbix
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal administrator session cookies, gain full administrative access to the Zabbix instance, modify monitoring configurations, access sensitive system data, and potentially pivot to monitored systems.
Likely Case
Attackers would typically steal user session cookies to gain unauthorized access, perform actions as the victim user, or redirect users to malicious sites.
If Mitigated
With proper input validation and output encoding, the vulnerability would be neutralized, preventing any JavaScript execution from user-supplied parameters.
🎯 Exploit Status
Exploitation requires the attacker to trick a user into clicking a malicious link. The vulnerability is in the web interface and requires user interaction.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Zabbix 7.0.0beta3 and later
Vendor Advisory: https://support.zabbix.com/browse/ZBX-26254
Restart Required: No
Instructions:
1. Upgrade Zabbix to version 7.0.0beta3 or later. 2. Apply the patch from the vendor advisory. 3. Clear browser caches and test the fix.
🔧 Temporary Workarounds
Input Validation Filter
allImplement web application firewall (WAF) rules or input validation to sanitize the backurl parameter
# Example mod_security rule for Apache:
SecRule ARGS:backurl "@rx javascript:" "id:1001,phase:2,deny,status:403,msg:'XSS attempt detected'"
Access Restriction
linuxRestrict access to the /zabbix.php endpoint to trusted IP addresses only
# Apache example:
<Location /zabbix.php>
Require ip 192.168.1.0/24
</Location>
# Nginx example:
location /zabbix.php {
allow 192.168.1.0/24;
deny all;
}
🧯 If You Can't Patch
- Implement Content Security Policy (CSP) headers to restrict script execution sources
- Deploy a web application firewall (WAF) with XSS protection rules enabled
🔍 How to Verify
Check if Vulnerable:
Test by accessing /zabbix.php?action=export.valuemaps&backurl=javascript:alert('XSS') and checking if script executesCheck Version:
zabbix_server --version | grep 'Zabbix'Verify Fix Applied:
After patching, test the same payload and verify no JavaScript execution occurs📡 Detection & Monitoring
Log Indicators:
- HTTP requests to /zabbix.php with suspicious backurl parameters containing javascript: or script tags
- Unusual user agent strings or referrer headers in Zabbix access logs
Network Indicators:
- HTTP requests with javascript: in query parameters
- Multiple failed authentication attempts followed by XSS payload requests
SIEM Query:
source="zabbix_access.log" AND uri_path="/zabbix.php" AND (query="*javascript:*" OR query="*<script>*")