CVE-2023-32725: 
Linux Debian vulnerability analysis and mitigation

CVE-2023-32725 is a critical security vulnerability affecting Zabbix server and frontend components. The vulnerability was discovered and disclosed on December 18, 2023, affecting multiple versions of Zabbix including versions 6.0.0-6.0.21, 6.4.0-6.4.6, and early alpha versions of 7.0.0. The vulnerability allows session cookie theft through the URL widget when testing or executing scheduled reports (Vendor Advisory).

The vulnerability has been assigned a CVSS v3.1 base score of 9.6 (Critical) by Zabbix and 8.8 (High) by NIST, with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H. It is categorized under CWE-565 (Reliance on Cookies without Validation and Integrity Checking). The vulnerability allows the website configured in the URL widget to receive a session cookie during the testing or execution of scheduled reports (NVD).

The vulnerability can lead to unauthorized access to the Zabbix frontend with the privileges of the user who created the report. Since scheduled reports are available to Admin and Super admin user types, the impact is particularly severe as it could result in complete system compromise. The attacker can use the stolen cookie to impersonate the Zabbix user and gain their level of access (Vendor Advisory).

As a temporary workaround, administrators should ensure only trusted URLs are configured in the URL widget. The vulnerability has been fixed in versions 6.0.22rc1, 6.4.7rc1, and 7.0.0alpha4. Users are advised to upgrade to these or newer versions to protect against this vulnerability (Vendor Advisory).