6.1

CVE-2020-15803

Zabbix before 3.0.32rc1, 4.x before 4.0.22rc1, 4.1.x through 4.4.x before 4.4.10rc1, and 5.x before 5.0.2rc1 allows stored XSS in the URL Widget.

Data is provided by the National Vulnerability Database (NVD)
ZabbixZabbix Version <= 3.0.31
ZabbixZabbix Version >= 4.0.0 <= 4.0.21
ZabbixZabbix Version >= 4.4 <= 4.4.9
ZabbixZabbix Version >= 5.0.0 <= 5.0.1
ZabbixZabbix Version3.0.32 Updaterc1
ZabbixZabbix Version4.0.22 Update-
ZabbixZabbix Version4.0.22 Updaterc1
ZabbixZabbix Version4.4.10 Update-
ZabbixZabbix Version4.4.10 Updaterc1
ZabbixZabbix Version5.0.2 Update-
ZabbixZabbix Version5.0.2 Updaterc1
FedoraprojectFedora Version31
FedoraprojectFedora Version32
DebianDebian Linux Version9.0
OpensuseBackports Versionsle-15 Updatesp1
OpensuseBackports Versionsle-15 Updatesp2
OpensuseLeap Version15.1
OpensuseLeap Version15.2
Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.
EPSS Metriken
Type Source Score Percentile
EPSS FIRST.org 2.09% 0.824
CVSS Metriken
Source Base Score Exploit Score Impact Score Vector string
nvd@nist.gov 6.1 2.8 2.7
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
nvd@nist.gov 4.3 8.6 2.9
AV:N/AC:M/Au:N/C:N/I:P/A:N
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.