CVE-2022-40626 An unauthenticated user can create a fake account with predefined login, password and role in Zabbix Frontend using reflected Javascript code in the backurl parameter.

This can be done by creating a link like this one: https://example.com/wp-login.php?redirect_to=%2Ffake-user-account.php

Because the user is not authenticated, the WP login page will be displayed with a login form without any login or password fields. The user can then complete the fake account creation and login with predefined information.
To prevent this attack vector, the following actions can be taken: - When creating links to wp-admin pages, consider using https:// instead of http://, as this will prevent unauthenticated user from clicking on the link. - Restricting access to wp-admin pages to authenticated users only. - Restricting access to wp-login.php to authenticated users only, by using the login_manager plugin.

Timeline

Published on: 09/14/2022 11:15:00 UTC
Last modified on: 09/30/2022 19:15:00 UTC

References

• https://support.zabbix.com/browse/ZBX-21350
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SPU4RCRYVNVM3SS523UQXE63ATCTEX5G/
• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-40626