CVE-2023-29455: 
Linux Debian vulnerability analysis and mitigation

CVE-2023-29455 is a Reflected Cross-Site Scripting (XSS) vulnerability discovered in Zabbix Frontend. The vulnerability affects versions from 4.0.0 to 4.0.45 and 5.0.0 to 5.0.33. This non-persistent attack occurs when a malicious script is reflected off the web application to the victim's browser through the graph.php endpoint (NVD, Zabbix Bug).

The vulnerability allows an attacker to pass malicious code as a GET request to graph.php, which the system saves and executes when the current graph page is opened. The CVSS v3.1 base score is 6.1 (Medium) according to NVD with vector CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N, while Zabbix assessed it at 5.4 (Medium) with vector CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N. The vulnerability is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation) (NVD).

When exploited, the vulnerability allows attackers to execute malicious scripts in the victim's browser context when they access the compromised graph page. This could potentially lead to unauthorized access to user session data and enable attackers to impersonate valid users and abuse their private accounts (Debian Advisory).

The vulnerability has been fixed in Zabbix versions 4.0.46rc1 and 5.0.35rc1. Users are recommended to upgrade their Zabbix installations to these or later versions. For Debian 10 (buster), the fix is available in version 1:4.0.4+dfsg-1+deb10u2 (Debian Advisory).