ID EDB-ID:49202 Type exploitdb Reporter Exploit-DB Modified 2020-12-04T00:00:00
Description
# Exploit Title: Zabbix 5.0.0 - Stored XSS via URL Widget Iframe
# Date: 8/11/2020
# Exploit Author: Shwetabh Vishnoi
# Vendor Homepage: https://www.zabbix.com/
# Software Link: https://www.zabbix.com/download
# Affected Version: Zabbix before 3.0.32rc1, 4.x before 4.0.22rc1, 4.1.x through 4.4.x before 4.4.10rc1, and 5.x before 5.0.2rc1
# CVE : CVE-2020-15803
Affected URL/endpoint(s):
http://192.168.1.7/zabbix.php?sid=f7ca8c8270ce38c7&action=dashboard.widget.check
Affected Param: <iframe src="http://localhost/hello.html" scrolling="auto"
id="iframe" class="widget-url" width="100%" height="100%"></iframe>
Description: The application contains a widget functionality within Global
View Dashboard which can be used by a malicious admin to propagate stored
cross site scripting attack. The “URL” widget iframe does not have any
inbuilt restrictions for the content executing within.
Impact: The malicious webpages within iframes can be used for hosting forms
for Phishing, malware propagation, forced redirections etc.
The affected Global View dashboard is displayed to all the users of the
application, so all the users will be affected with this vulnerability.
Reproduction Steps:
1. Login to the application with Admin
2. In Global View Dashboard, Add a widget
3. Select Type – “URL”, fill any random values for Name, Refresh Interval.
4. Now, in the URL parameter, enter a malicious URL.
5. For demo purpose, I have hosted a web server on my machine and hosted a webpage http://localhost/hello.html. (Alternatively, you can use “ http://14.rs” to display popups.)
6. The malicious webpage containing payload will be executed on the dashboard via iFrame.
7. The executed content can redirect the user to a malicious page (We have used Bing page for redirection).
{"id": "EDB-ID:49202", "type": "exploitdb", "bulletinFamily": "exploit", "title": "Zabbix 5.0.0 - Stored XSS via URL Widget Iframe", "description": "", "published": "2020-12-04T00:00:00", "modified": "2020-12-04T00:00:00", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}, "href": "https://www.exploit-db.com/exploits/49202", "reporter": "Exploit-DB", "references": [], "cvelist": ["CVE-2020-15803"], "lastseen": "2020-12-04T14:25:33", "viewCount": 822, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2020-15803"]}, {"type": "nessus", "idList": ["OPENSUSE-2020-1604.NASL", "FEDORA_2020-02CF7850CA.NASL", "FEDORA_2020-519516FEEC.NASL", "DEBIAN_DLA-2311.NASL", "SUSE_SU-2020-2251-1.NASL"]}, {"type": "debian", "idList": ["DEBIAN:DLA-2311-1:2A274"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:160362"]}, {"type": "fedora", "idList": ["FEDORA:7F34934E3FFA", "FEDORA:674923295160"]}, {"type": "suse", "idList": ["OPENSUSE-SU-2020:1604-1"]}], "modified": "2020-12-04T14:25:33", "rev": 2}, "score": {"value": 4.8, "vector": "NONE", "modified": "2020-12-04T14:25:33", "rev": 2}, "vulnersScore": 4.8}, "sourceHref": "https://www.exploit-db.com/download/49202", "sourceData": "# Exploit Title: Zabbix 5.0.0 - Stored XSS via URL Widget Iframe\r\n# Date: 8/11/2020\r\n# Exploit Author: Shwetabh Vishnoi\r\n# Vendor Homepage: https://www.zabbix.com/\r\n# Software Link: https://www.zabbix.com/download\r\n# Affected Version: Zabbix before 3.0.32rc1, 4.x before 4.0.22rc1, 4.1.x through 4.4.x before 4.4.10rc1, and 5.x before 5.0.2rc1\r\n# CVE : CVE-2020-15803\r\n\r\nAffected URL/endpoint(s):\r\nhttp://192.168.1.7/zabbix.php?sid=f7ca8c8270ce38c7&action=dashboard.widget.check\r\n\r\nAffected Param: <iframe src=\"http://localhost/hello.html\" scrolling=\"auto\"\r\nid=\"iframe\" class=\"widget-url\" width=\"100%\" height=\"100%\"></iframe>\r\n\r\nDescription: The application contains a widget functionality within Global\r\nView Dashboard which can be used by a malicious admin to propagate stored\r\ncross site scripting attack. The \u201cURL\u201d widget iframe does not have any\r\ninbuilt restrictions for the content executing within.\r\n\r\nImpact: The malicious webpages within iframes can be used for hosting forms\r\nfor Phishing, malware propagation, forced redirections etc.\r\n\r\nThe affected Global View dashboard is displayed to all the users of the\r\napplication, so all the users will be affected with this vulnerability.\r\n\r\nReproduction Steps:\r\n1. Login to the application with Admin\r\n2. In Global View Dashboard, Add a widget\r\n3. Select Type \u2013 \u201cURL\u201d, fill any random values for Name, Refresh Interval.\r\n4. Now, in the URL parameter, enter a malicious URL.\r\n5. For demo purpose, I have hosted a web server on my machine and hosted a webpage http://localhost/hello.html. (Alternatively, you can use \u201c http://14.rs\u201d to display popups.)\r\n6. The malicious webpage containing payload will be executed on the dashboard via iFrame.\r\n7. The executed content can redirect the user to a malicious page (We have used Bing page for redirection).", "osvdbidlist": []}
{"cve": [{"lastseen": "2020-12-09T22:03:09", "description": "Zabbix before 3.0.32rc1, 4.x before 4.0.22rc1, 4.1.x through 4.4.x before 4.4.10rc1, and 5.x before 5.0.2rc1 allows stored XSS in the URL Widget.", "edition": 12, "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "baseScore": 6.1, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 2.7}, "published": "2020-07-17T03:15:00", "title": "CVE-2020-15803", "type": "cve", "cwe": ["CWE-79"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-15803"], "modified": "2020-10-04T12:15:00", "cpe": ["cpe:/a:zabbix:zabbix:4.0.21", "cpe:/a:zabbix:zabbix:4.4.9", "cpe:/a:zabbix:zabbix:3.0.31", "cpe:/a:zabbix:zabbix:5.0.1", "cpe:/a:zabbix:zabbix:4.4.10", "cpe:/a:zabbix:zabbix:3.0.32", "cpe:/a:zabbix:zabbix:4.0.22", "cpe:/a:zabbix:zabbix:5.0.2"], "id": "CVE-2020-15803", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-15803", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}, "cpe23": ["cpe:2.3:a:zabbix:zabbix:3.0.31:*:*:*:*:*:*:*", "cpe:2.3:a:zabbix:zabbix:3.0.32:rc1:*:*:*:*:*:*", "cpe:2.3:a:zabbix:zabbix:4.4.9:*:*:*:*:*:*:*", "cpe:2.3:a:zabbix:zabbix:5.0.1:*:*:*:*:*:*:*", "cpe:2.3:a:zabbix:zabbix:4.4.10:rc1:*:*:*:*:*:*", "cpe:2.3:a:zabbix:zabbix:4.0.22:-:*:*:*:*:*:*", "cpe:2.3:a:zabbix:zabbix:5.0.2:-:*:*:*:*:*:*", "cpe:2.3:a:zabbix:zabbix:4.0.22:rc1:*:*:*:*:*:*", "cpe:2.3:a:zabbix:zabbix:4.0.21:*:*:*:*:*:*:*", "cpe:2.3:a:zabbix:zabbix:5.0.2:rc1:*:*:*:*:*:*", "cpe:2.3:a:zabbix:zabbix:4.4.10:-:*:*:*:*:*:*"]}], "fedora": [{"lastseen": "2020-12-21T08:17:56", "bulletinFamily": "unix", "cvelist": ["CVE-2020-15803"], "description": "Zabbix is software that monitors numerous parameters of a network and the health and integrity of servers. Zabbix uses a flexible notification mechan ism that allows users to configure e-mail based alerts for virtually any event. This allows a fast reaction to server problems. Zabbix offers excellent reporting and data visualization features based on the stored data. This makes Zabbix ideal for capacity planning. Zabbix supports both polling and trapping. All Zabbix reports and statistic s, as well as configuration parameters are accessed through a web-based front end. A web-based front end ensures that the status of your network and the healt h of your servers can be assessed from any location. Properly configured, Zabbix can play an important role in monitoring IT infrastructure. This is equally true for small organizations with a few servers and for large companies with a multitude of servers. ", "modified": "2020-07-28T15:03:33", "published": "2020-07-28T15:03:33", "id": "FEDORA:674923295160", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 31 Update: zabbix-4.0.22-1.fc31", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2020-12-21T08:17:56", "bulletinFamily": "unix", "cvelist": ["CVE-2020-15803"], "description": "Zabbix is software that monitors numerous parameters of a network and the health and integrity of servers. Zabbix uses a flexible notification mechan ism that allows users to configure e-mail based alerts for virtually any event. This allows a fast reaction to server problems. Zabbix offers excellent reporting and data visualization features based on the stored data. This makes Zabbix ideal for capacity planning. Zabbix supports both polling and trapping. All Zabbix reports and statistic s, as well as configuration parameters are accessed through a web-based front end. A web-based front end ensures that the status of your network and the healt h of your servers can be assessed from any location. Properly configured, Zabbix can play an important role in monitoring IT infrastructure. This is equally true for small organizations with a few servers and for large companies with a multitude of servers. ", "modified": "2020-07-30T17:53:43", "published": "2020-07-30T17:53:43", "id": "FEDORA:7F34934E3FFA", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 32 Update: zabbix-4.0.22-1.fc32", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}], "debian": [{"lastseen": "2020-08-12T00:51:26", "bulletinFamily": "unix", "cvelist": ["CVE-2020-15803"], "description": "- -------------------------------------------------------------------------\nDebian LTS Advisory DLA-2311-1 debian-lts@lists.debian.org\nhttps://www.debian.org/lts/security/ Chris Lamb\nAugust 3, 2020 https://wiki.debian.org/LTS\n- -------------------------------------------------------------------------\n\nPackage : zabbix\nVersion : 1:3.0.7+dfsg-3+deb9u1\nCVE ID : CVE-2020-15803\nDebian Bug : #966146\n\nIt was discovered that there was a potential cross-site scripting\nvulnerability via iframe HTML elements in Zabbix, a PHP-based\nmonitoring system.\n\nFor Debian 9 "Stretch", this problem has been fixed in version\n1:3.0.7+dfsg-3+deb9u1.\n\nWe recommend that you upgrade your zabbix packages.\n\nFor the detailed security status of zabbix please refer to\nits security tracker page at:\nhttps://security-tracker.debian.org/tracker/zabbix\n\nFurther information about Debian LTS security advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://wiki.debian.org/LTS\n", "edition": 3, "modified": "2020-08-03T15:06:02", "published": "2020-08-03T15:06:02", "id": "DEBIAN:DLA-2311-1:2A274", "href": "https://lists.debian.org/debian-lts-announce/2020/debian-lts-announce-202008/msg00007.html", "title": "[SECURITY] [DLA 2311-1] zabbix security update", "type": "debian", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}], "nessus": [{"lastseen": "2020-12-01T14:58:02", "description": "This update for zabbix fixes the following issues :\n\nAdd patches to fix bsc#1174253 (CVE-2020-15803)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 3, "cvss3": {"score": 6.1, "vector": "AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"}, "published": "2020-08-18T00:00:00", "title": "SUSE SLES12 Security Update : zabbix (SUSE-SU-2020:2251-1)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2020-15803"], "modified": "2020-08-18T00:00:00", "cpe": ["p-cpe:/a:novell:suse_linux:zabbix-debugsource", "cpe:/o:novell:suse_linux:12", "p-cpe:/a:novell:suse_linux:zabbix-agent", "p-cpe:/a:novell:suse_linux:zabbix-agent-debuginfo"], "id": "SUSE_SU-2020-2251-1.NASL", "href": "https://www.tenable.com/plugins/nessus/139658", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from SUSE update advisory SUSE-SU-2020:2251-1.\n# The text itself is copyright (C) SUSE.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(139658);\n script_version(\"1.3\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/11/30\");\n\n script_cve_id(\"CVE-2020-15803\");\n\n script_name(english:\"SUSE SLES12 Security Update : zabbix (SUSE-SU-2020:2251-1)\");\n script_summary(english:\"Checks rpm output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\"The remote SUSE host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"This update for zabbix fixes the following issues :\n\nAdd patches to fix bsc#1174253 (CVE-2020-15803)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1174253\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2020-15803/\"\n );\n # https://www.suse.com/support/update/announcement/2020/suse-su-20202251-1\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?8e02774b\"\n );\n script_set_attribute(\n attribute:\"solution\",\n value:\n\"To install this SUSE Security Update use the SUSE recommended\ninstallation methods like YaST online_update or 'zypper patch'.\n\nAlternatively you can run the command listed for your product :\n\nSUSE Linux Enterprise Server 12-SP5 :\n\nzypper in -t patch SUSE-SLE-SERVER-12-SP5-2020-2251=1\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-15803\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:zabbix-agent\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:zabbix-agent-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:zabbix-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:suse_linux:12\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/07/17\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/08/17\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/08/18\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release !~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"SUSE\");\nos_ver = pregmatch(pattern: \"^(SLE(S|D)\\d+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"SUSE\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(SLES12)$\", string:os_ver)) audit(AUDIT_OS_NOT, \"SUSE SLES12\", \"SUSE \" + os_ver);\n\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^i[3-6]86$\" && \"x86_64\" >!< cpu && \"s390x\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"SUSE \" + os_ver, cpu);\n\nsp = get_kb_item(\"Host/SuSE/patchlevel\");\nif (isnull(sp)) sp = \"0\";\nif (os_ver == \"SLES12\" && (! preg(pattern:\"^(5)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLES12 SP5\", os_ver + \" SP\" + sp);\n\n\nflag = 0;\nif (rpm_check(release:\"SLES12\", sp:\"5\", reference:\"zabbix-agent-4.0.12-4.7.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"5\", reference:\"zabbix-agent-debuginfo-4.0.12-4.7.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"5\", reference:\"zabbix-debugsource-4.0.12-4.7.1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"zabbix\");\n}\n", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2020-09-14T13:31:43", "description": "It was discovered that there was a potential cross-site scripting\nvulnerability via iframe HTML elements in Zabbix, a PHP-based\nmonitoring system.\n\nFor Debian 9 'Stretch', this problem has been fixed in version\n1:3.0.7+dfsg-3+deb9u1.\n\nWe recommend that you upgrade your zabbix packages.\n\nFor the detailed security status of zabbix please refer to its\nsecurity tracker page at:\nhttps://security-tracker.debian.org/tracker/zabbix\n\nNOTE: Tenable Network Security has extracted the preceding description\nblock directly from the DLA security advisory. Tenable has attempted\nto automatically clean and format it as much as possible without\nintroducing additional issues.", "edition": 3, "cvss3": {"score": 6.1, "vector": "AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"}, "published": "2020-08-04T00:00:00", "title": "Debian DLA-2311-1 : zabbix security update", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2020-15803"], "modified": "2020-08-04T00:00:00", "cpe": ["p-cpe:/a:debian:debian_linux:zabbix-server-mysql", "p-cpe:/a:debian:debian_linux:zabbix-proxy-sqlite3", "p-cpe:/a:debian:debian_linux:zabbix-proxy-pgsql", "p-cpe:/a:debian:debian_linux:zabbix-frontend-php", "p-cpe:/a:debian:debian_linux:zabbix-server-pgsql", "p-cpe:/a:debian:debian_linux:zabbix-java-gateway", "p-cpe:/a:debian:debian_linux:zabbix-agent", "p-cpe:/a:debian:debian_linux:zabbix-proxy-mysql", "cpe:/o:debian:debian_linux:9.0"], "id": "DEBIAN_DLA-2311.NASL", "href": "https://www.tenable.com/plugins/nessus/139297", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Debian Security Advisory DLA-2311-1. The text\n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(139297);\n script_version(\"1.2\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/08/06\");\n\n script_cve_id(\"CVE-2020-15803\");\n\n script_name(english:\"Debian DLA-2311-1 : zabbix security update\");\n script_summary(english:\"Checks dpkg output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\"The remote Debian host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"It was discovered that there was a potential cross-site scripting\nvulnerability via iframe HTML elements in Zabbix, a PHP-based\nmonitoring system.\n\nFor Debian 9 'Stretch', this problem has been fixed in version\n1:3.0.7+dfsg-3+deb9u1.\n\nWe recommend that you upgrade your zabbix packages.\n\nFor the detailed security status of zabbix please refer to its\nsecurity tracker page at:\nhttps://security-tracker.debian.org/tracker/zabbix\n\nNOTE: Tenable Network Security has extracted the preceding description\nblock directly from the DLA security advisory. Tenable has attempted\nto automatically clean and format it as much as possible without\nintroducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://lists.debian.org/debian-lts-announce/2020/08/msg00007.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://packages.debian.org/source/stretch/zabbix\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/source-package/zabbix\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Upgrade the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:zabbix-agent\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:zabbix-frontend-php\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:zabbix-java-gateway\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:zabbix-proxy-mysql\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:zabbix-proxy-pgsql\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:zabbix-proxy-sqlite3\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:zabbix-server-mysql\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:zabbix-server-pgsql\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:9.0\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/07/17\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/08/03\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/08/04\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"9.0\", prefix:\"zabbix-agent\", reference:\"1:3.0.7+dfsg-3+deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"zabbix-frontend-php\", reference:\"1:3.0.7+dfsg-3+deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"zabbix-java-gateway\", reference:\"1:3.0.7+dfsg-3+deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"zabbix-proxy-mysql\", reference:\"1:3.0.7+dfsg-3+deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"zabbix-proxy-pgsql\", reference:\"1:3.0.7+dfsg-3+deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"zabbix-proxy-sqlite3\", reference:\"1:3.0.7+dfsg-3+deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"zabbix-server-mysql\", reference:\"1:3.0.7+dfsg-3+deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"zabbix-server-pgsql\", reference:\"1:3.0.7+dfsg-3+deb9u1\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2020-08-05T09:57:44", "description": "Update to 4.0.22\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.", "edition": 2, "cvss3": {"score": 6.1, "vector": "AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"}, "published": "2020-07-30T00:00:00", "title": "Fedora 31 : 1:zabbix (2020-519516feec)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2020-15803"], "modified": "2020-07-30T00:00:00", "cpe": ["p-cpe:/a:fedoraproject:fedora:1:zabbix", "cpe:/o:fedoraproject:fedora:31"], "id": "FEDORA_2020-519516FEEC.NASL", "href": "https://www.tenable.com/plugins/nessus/139102", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory FEDORA-2020-519516feec.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(139102);\n script_version(\"1.2\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/08/03\");\n\n script_cve_id(\"CVE-2020-15803\");\n script_xref(name:\"FEDORA\", value:\"2020-519516feec\");\n\n script_name(english:\"Fedora 31 : 1:zabbix (2020-519516feec)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"Update to 4.0.22\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bodhi.fedoraproject.org/updates/FEDORA-2020-519516feec\"\n );\n script_set_attribute(\n attribute:\"solution\",\n value:\"Update the affected 1:zabbix package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:1:zabbix\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:31\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/07/17\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/07/28\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/07/30\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = pregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^31([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 31\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"FC31\", reference:\"zabbix-4.0.22-1.fc31\", epoch:\"1\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"1:zabbix\");\n}\n", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2020-08-05T09:55:54", "description": "Update to 4.0.22\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.", "edition": 2, "cvss3": {"score": 6.1, "vector": "AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"}, "published": "2020-07-30T00:00:00", "title": "Fedora 32 : 1:zabbix (2020-02cf7850ca)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2020-15803"], "modified": "2020-07-30T00:00:00", "cpe": ["p-cpe:/a:fedoraproject:fedora:1:zabbix", "cpe:/o:fedoraproject:fedora:32"], "id": "FEDORA_2020-02CF7850CA.NASL", "href": "https://www.tenable.com/plugins/nessus/139100", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory FEDORA-2020-02cf7850ca.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(139100);\n script_version(\"1.2\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/08/03\");\n\n script_cve_id(\"CVE-2020-15803\");\n script_xref(name:\"FEDORA\", value:\"2020-02cf7850ca\");\n\n script_name(english:\"Fedora 32 : 1:zabbix (2020-02cf7850ca)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"Update to 4.0.22\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bodhi.fedoraproject.org/updates/FEDORA-2020-02cf7850ca\"\n );\n script_set_attribute(\n attribute:\"solution\",\n value:\"Update the affected 1:zabbix package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:1:zabbix\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:32\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/07/17\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/07/28\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/07/30\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = pregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^32([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 32\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"FC32\", reference:\"zabbix-4.0.22-1.fc32\", epoch:\"1\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"1:zabbix\");\n}\n", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2020-10-22T08:20:12", "description": "This update for zabbix fixes the following issues :\n\nUpdated to version 3.0.31.\n\n + CVE-2020-15803: Fixed an XSS in the URL Widget\n (boo#1174253).", "edition": 3, "cvss3": {"score": 9.8, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2020-10-05T00:00:00", "title": "openSUSE Security Update : zabbix (openSUSE-2020-1604)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2020-11800", "CVE-2020-15803"], "modified": "2020-10-05T00:00:00", "cpe": ["cpe:/o:novell:opensuse:15.2", "p-cpe:/a:novell:opensuse:zabbix-java-gateway", "p-cpe:/a:novell:opensuse:zabbix-proxy", "p-cpe:/a:novell:opensuse:zabbix-server", "cpe:/o:novell:opensuse:15.1", "p-cpe:/a:novell:opensuse:zabbix-server-mysql-debuginfo", "p-cpe:/a:novell:opensuse:zabbix-proxy-sqlite-debuginfo", "p-cpe:/a:novell:opensuse:zabbix-server-sqlite", "p-cpe:/a:novell:opensuse:zabbix-server-sqlite-debuginfo", "p-cpe:/a:novell:opensuse:zabbix-debugsource", "p-cpe:/a:novell:opensuse:zabbix-phpfrontend", "p-cpe:/a:novell:opensuse:zabbix-server-mysql", "p-cpe:/a:novell:opensuse:zabbix-proxy-mysql", "p-cpe:/a:novell:opensuse:zabbix-server-debuginfo", "p-cpe:/a:novell:opensuse:zabbix-agent-debuginfo", "p-cpe:/a:novell:opensuse:zabbix-debuginfo", "p-cpe:/a:novell:opensuse:zabbix-server-postgresql", "p-cpe:/a:novell:opensuse:zabbix-proxy-mysql-debuginfo", "p-cpe:/a:novell:opensuse:zabbix-proxy-postgresql", "p-cpe:/a:novell:opensuse:zabbix-agent", "p-cpe:/a:novell:opensuse:zabbix-proxy-sqlite", "p-cpe:/a:novell:opensuse:zabbix-server-postgresql-debuginfo", "p-cpe:/a:novell:opensuse:zabbix-bash-completion", "p-cpe:/a:novell:opensuse:zabbix-proxy-postgresql-debuginfo"], "id": "OPENSUSE-2020-1604.NASL", "href": "https://www.tenable.com/plugins/nessus/141167", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from openSUSE Security Update openSUSE-2020-1604.\n#\n# The text description of this plugin is (C) SUSE LLC.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(141167);\n script_version(\"1.3\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/10/21\");\n\n script_cve_id(\"CVE-2020-11800\", \"CVE-2020-15803\");\n\n script_name(english:\"openSUSE Security Update : zabbix (openSUSE-2020-1604)\");\n script_summary(english:\"Check for the openSUSE-2020-1604 patch\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\"The remote openSUSE host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"This update for zabbix fixes the following issues :\n\nUpdated to version 3.0.31.\n\n + CVE-2020-15803: Fixed an XSS in the URL Widget\n (boo#1174253).\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1174253\"\n );\n script_set_attribute(\n attribute:\"solution\",\n value:\"Update the affected zabbix packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-11800\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:zabbix-agent\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:zabbix-agent-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:zabbix-bash-completion\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:zabbix-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:zabbix-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:zabbix-java-gateway\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:zabbix-phpfrontend\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:zabbix-proxy\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:zabbix-proxy-mysql\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:zabbix-proxy-mysql-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:zabbix-proxy-postgresql\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:zabbix-proxy-postgresql-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:zabbix-proxy-sqlite\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:zabbix-proxy-sqlite-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:zabbix-server\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:zabbix-server-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:zabbix-server-mysql\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:zabbix-server-mysql-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:zabbix-server-postgresql\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:zabbix-server-postgresql-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:zabbix-server-sqlite\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:zabbix-server-sqlite-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:15.1\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:15.2\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/07/17\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/10/04\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/10/05\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release =~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"openSUSE\");\nif (release !~ \"^(SUSE15\\.1|SUSE15\\.2)$\") audit(AUDIT_OS_RELEASE_NOT, \"openSUSE\", \"15.1 / 15.2\", release);\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nourarch = get_kb_item(\"Host/cpu\");\nif (!ourarch) audit(AUDIT_UNKNOWN_ARCH);\nif (ourarch !~ \"^(x86_64)$\") audit(AUDIT_ARCH_NOT, \"x86_64\", ourarch);\n\nflag = 0;\n\nif ( rpm_check(release:\"SUSE15.1\", reference:\"zabbix-agent-3.0.31-lp151.2.6.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", reference:\"zabbix-agent-debuginfo-3.0.31-lp151.2.6.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", reference:\"zabbix-bash-completion-3.0.31-lp151.2.6.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", reference:\"zabbix-debuginfo-3.0.31-lp151.2.6.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", reference:\"zabbix-debugsource-3.0.31-lp151.2.6.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", reference:\"zabbix-java-gateway-3.0.31-lp151.2.6.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", reference:\"zabbix-phpfrontend-3.0.31-lp151.2.6.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", reference:\"zabbix-proxy-3.0.31-lp151.2.6.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", reference:\"zabbix-proxy-mysql-3.0.31-lp151.2.6.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", reference:\"zabbix-proxy-mysql-debuginfo-3.0.31-lp151.2.6.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", reference:\"zabbix-proxy-postgresql-3.0.31-lp151.2.6.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", reference:\"zabbix-proxy-postgresql-debuginfo-3.0.31-lp151.2.6.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", reference:\"zabbix-proxy-sqlite-3.0.31-lp151.2.6.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", reference:\"zabbix-proxy-sqlite-debuginfo-3.0.31-lp151.2.6.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", reference:\"zabbix-server-3.0.31-lp151.2.6.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", reference:\"zabbix-server-debuginfo-3.0.31-lp151.2.6.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", reference:\"zabbix-server-mysql-3.0.31-lp151.2.6.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", reference:\"zabbix-server-mysql-debuginfo-3.0.31-lp151.2.6.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", reference:\"zabbix-server-postgresql-3.0.31-lp151.2.6.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", reference:\"zabbix-server-postgresql-debuginfo-3.0.31-lp151.2.6.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", reference:\"zabbix-server-sqlite-3.0.31-lp151.2.6.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", reference:\"zabbix-server-sqlite-debuginfo-3.0.31-lp151.2.6.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"zabbix-agent-3.0.31-lp152.2.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"zabbix-agent-debuginfo-3.0.31-lp152.2.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"zabbix-bash-completion-3.0.31-lp152.2.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"zabbix-debuginfo-3.0.31-lp152.2.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"zabbix-debugsource-3.0.31-lp152.2.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"zabbix-java-gateway-3.0.31-lp152.2.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"zabbix-phpfrontend-3.0.31-lp152.2.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"zabbix-proxy-3.0.31-lp152.2.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"zabbix-proxy-mysql-3.0.31-lp152.2.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"zabbix-proxy-mysql-debuginfo-3.0.31-lp152.2.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"zabbix-proxy-postgresql-3.0.31-lp152.2.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"zabbix-proxy-postgresql-debuginfo-3.0.31-lp152.2.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"zabbix-proxy-sqlite-3.0.31-lp152.2.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"zabbix-proxy-sqlite-debuginfo-3.0.31-lp152.2.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"zabbix-server-3.0.31-lp152.2.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"zabbix-server-debuginfo-3.0.31-lp152.2.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"zabbix-server-mysql-3.0.31-lp152.2.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"zabbix-server-mysql-debuginfo-3.0.31-lp152.2.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"zabbix-server-postgresql-3.0.31-lp152.2.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"zabbix-server-postgresql-debuginfo-3.0.31-lp152.2.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"zabbix-server-sqlite-3.0.31-lp152.2.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"zabbix-server-sqlite-debuginfo-3.0.31-lp152.2.3.1\") ) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"zabbix-agent / zabbix-agent-debuginfo / zabbix-bash-completion / etc\");\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "packetstorm": [{"lastseen": "2020-12-04T15:07:19", "description": "", "published": "2020-12-04T00:00:00", "type": "packetstorm", "title": "Zabbix 5.0.0 Cross Site Scripting", "bulletinFamily": "exploit", "cvelist": ["CVE-2020-15803"], "modified": "2020-12-04T00:00:00", "id": "PACKETSTORM:160362", "href": "https://packetstormsecurity.com/files/160362/Zabbix-5.0.0-Cross-Site-Scripting.html", "sourceData": "`# Exploit Title: Zabbix 5.0.0 - Stored XSS via URL Widget Iframe \n# Date: 8/11/2020 \n# Exploit Author: Shwetabh Vishnoi \n# Vendor Homepage: https://www.zabbix.com/ \n# Software Link: https://www.zabbix.com/download \n# Affected Version: Zabbix before 3.0.32rc1, 4.x before 4.0.22rc1, 4.1.x through 4.4.x before 4.4.10rc1, and 5.x before 5.0.2rc1 \n# CVE : CVE-2020-15803 \n \nAffected URL/endpoint(s): \nhttp://192.168.1.7/zabbix.php?sid=f7ca8c8270ce38c7&action=dashboard.widget.check \n \nAffected Param: <iframe src=\"http://localhost/hello.html\" scrolling=\"auto\" \nid=\"iframe\" class=\"widget-url\" width=\"100%\" height=\"100%\"></iframe> \n \nDescription: The application contains a widget functionality within Global \nView Dashboard which can be used by a malicious admin to propagate stored \ncross site scripting attack. The \u201cURL\u201d widget iframe does not have any \ninbuilt restrictions for the content executing within. \n \nImpact: The malicious webpages within iframes can be used for hosting forms \nfor Phishing, malware propagation, forced redirections etc. \n \nThe affected Global View dashboard is displayed to all the users of the \napplication, so all the users will be affected with this vulnerability. \n \nReproduction Steps: \n1. Login to the application with Admin \n2. In Global View Dashboard, Add a widget \n3. Select Type \u2013 \u201cURL\u201d, fill any random values for Name, Refresh Interval. \n4. Now, in the URL parameter, enter a malicious URL. \n5. For demo purpose, I have hosted a web server on my machine and hosted a webpage http://localhost/hello.html. (Alternatively, you can use \u201c http://14.rs\u201d to display popups.) \n6. The malicious webpage containing payload will be executed on the dashboard via iFrame. \n7. The executed content can redirect the user to a malicious page (We have used Bing page for redirection). \n \n`\n", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}, "sourceHref": "https://packetstormsecurity.com/files/download/160362/zabbix500-xss.txt"}], "suse": [{"lastseen": "2020-10-04T14:43:25", "bulletinFamily": "unix", "cvelist": ["CVE-2020-11800", "CVE-2020-15803"], "description": "This update for zabbix fixes the following issues:\n\n Updated to version 3.0.31.\n\n + CVE-2020-15803: Fixed an XSS in the URL Widget (boo#1174253).\n\n", "edition": 1, "modified": "2020-10-04T12:14:10", "published": "2020-10-04T12:14:10", "id": "OPENSUSE-SU-2020:1604-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00007.html", "title": "Security update for zabbix (moderate)", "type": "suse", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}]}
