Latest zabbix zabbix Vulnerabilities

CVE-2024-22119
Stored XSS in graph items select form
Zabbix Zabbix>=5.0.0<5.0.40
Zabbix Zabbix>=6.0.0<6.0.24
Zabbix Zabbix>=6.4.0<6.4.9
Zabbix Zabbix=7.0.0-alpha1
Zabbix Zabbix=7.0.0-alpha2
Zabbix Zabbix=7.0.0-alpha3
and 4 more
CVE-2023-32724
Memory pointer is in a property of the Ducktape object. This leads to multiple vulnerabilities related to direct memory access and manipulation.
Zabbix Zabbix>=5.0.0<=5.0.36
Zabbix Zabbix>=6.0.0<=6.0.20
Zabbix Zabbix>=6.4.0<=6.4.5
Zabbix Zabbix=7.0.0-alpha1
Zabbix Zabbix=7.0.0-alpha2
Zabbix Zabbix=7.0.0-alpha3
CVE-2023-32722
The zabbix/src/libs/zbxjson module is vulnerable to a buffer overflow when parsing JSON files via zbx_json_open.
Zabbix Zabbix>=6.0.0<=6.0.20
Zabbix Zabbix>=6.4.0<=6.4.5
Zabbix Zabbix=7.0.0-alpha1
Zabbix Zabbix=7.0.0-alpha2
Zabbix Zabbix=7.0.0-alpha3
CVE-2023-32723
Inefficient permission check in class CControllerAuthenticationUpdate
Zabbix Zabbix>=4.0.0<4.0.19
Zabbix Zabbix>=4.4.0<4.4.7
Zabbix Zabbix=4.0.19-rc1
Zabbix Zabbix=4.4.7-rc1
Zabbix Zabbix=5.0.0-alpha3
CVE-2023-32721
Stored XSS in Maps element
Zabbix Zabbix>=4.0.0<=4.0.47
Zabbix Zabbix>=5.0.0<=5.0.36
Zabbix Zabbix>=6.0.0<=6.0.20
Zabbix Zabbix>=6.4.0<=6.4.5
Zabbix Zabbix=7.0.0-alpha1
Zabbix Zabbix=7.0.0-alpha2
and 1 more
CVE-2023-29451
Specially crafted string can cause a buffer overrun in the JSON parser library leading to a crash of the Zabbix Server or a Zabbix Proxy.
Zabbix Zabbix<=6.0.14
Zabbix Zabbix>=6.4.2<=6.4.4
Zabbix Zabbix=6.4.0-alpha1
Zabbix Zabbix=6.4.0-beta1
Zabbix Zabbix=6.4.0-beta2
Zabbix Zabbix=6.4.0-beta3
and 6 more
CVE-2023-29458
Duktape is an 3rd-party embeddable JavaScript engine, with a focus on portability and compact footprint. When adding too many values in valstack JavaScript will crash. This issue occurs due to bug in ...
Zabbix Zabbix=5.0.34
Zabbix Zabbix=6.0.17
Zabbix Zabbix=6.4.2
CVE-2023-29452
Currently, geomap configuration (Administration -> General -> Geographical maps) allows using HTML in the field “Attribution text” when selected “Other” Tile provider.
Zabbix Zabbix>=6.0.0<=6.0.17
Zabbix Zabbix=6.4.0
Zabbix Zabbix=6.4.0-rc1
Zabbix Zabbix=6.4.0-rc2
Zabbix Zabbix=6.4.0-rc3
Zabbix Zabbix=6.4.0-rc4
and 3 more
CVE-2023-29449
JavaScript preprocessing, webhooks and global scripts can cause uncontrolled CPU, memory, and disk I/O utilization. Preprocessing/webhook/global script configuration and testing are only available to ...
Zabbix Zabbix<=5.0.31
Zabbix Zabbix>=6.0.0<=6.0.13
Zabbix Zabbix>=6.4.1<=6.4.4
Zabbix Zabbix=6.4.0-alpha1
Zabbix Zabbix=6.4.0-beta1
Zabbix Zabbix=6.4.0-beta2
and 7 more
CVE-2023-29450
JavaScript pre-processing can be used by the attacker to gain access to the file system (read-only access on behalf of user "zabbix") on the Zabbix Server or Zabbix Proxy, potentially leading to unaut...
Zabbix Zabbix<=5.0.33
Zabbix Zabbix>=6.0.0<=6.0.15
Zabbix Zabbix>=6.4.0<=6.4.1
CVE-2022-43516
Microsoft Windows Firewall
Zabbix Zabbix>=6.0.10<6.0.12
Zabbix Zabbix>=6.2.0<6.2.6
Zabbix Zabbix=6.0.12-rc1
Zabbix Zabbix=6.2.6-rc1
CVE-2022-40626
An unauthenticated user can create a link with reflected Javascript code inside the backurl parameter and send it to other authenticated users in order to create a fake account with predefined login, ...
Zabbix Zabbix>=6.0.0<=6.0.6
Zabbix Zabbix=6.2.0
Fedoraproject Fedora=37
CVE-2022-35229
An authenticated user can create a link with reflected Javascript code inside it for the discovery page and send it to other users. The payload can be executed only with a known CSRF token value of th...
Zabbix Zabbix<4.0.0
Zabbix Zabbix>=5.0.0<5.0.25
Zabbix Zabbix>=6.0.0<=6.0.4
Zabbix Zabbix=5.0.25
ubuntu/zabbix<1:3.0.12+dfsg-1ubuntu0.1~
ubuntu/zabbix<1:4.0.17+dfsg-1ubuntu0.1~
and 5 more
CVE-2022-35230
An authenticated user can create a link with reflected Javascript code inside it for the graphs page and send it to other users. The payload can be executed only with a known CSRF token value of the v...
Zabbix Zabbix<5.0.25
Zabbix Zabbix=5.0.25
Zabbix Zabbix=5.0.25-rc1
ubuntu/zabbix<1:3.0.12+dfsg-1ubuntu0.1~
ubuntu/zabbix<1:4.0.17+dfsg-1ubuntu0.1~
ubuntu/zabbix<1:5.0.17+dfsg-1ubuntu0.1~
and 4 more
CVE-2021-46088
Zabbix 4.0 LTS, 4.2, 4.4, and 5.0 LTS is vulnerable to Remote Code Execution (RCE). Any user with the "Zabbix Admin" role is able to run custom shell script on the application server in the context of...
Zabbix Zabbix>=4.0.0<=4.0.34
Zabbix Zabbix>=4.2.0<=4.2.8
Zabbix Zabbix>=4.4.0<=4.4.11
Zabbix Zabbix>=5.0.0<=5.0.20
CVE-2022-23133
An authenticated user can create a hosts group from the configuration with XSS payload, which will be available for other users. When XSS is stored by an authenticated malicious actor and other users ...
Zabbix Zabbix>=5.0.0<=5.0.18
Zabbix Zabbix>=5.4.0<=5.4.8
Zabbix Zabbix=6.0.0-alpha1
Fedoraproject Fedora=34
Fedoraproject Fedora=35
CVE-2022-23134
Zabbix Frontend Improper Access Control Vulnerability
Zabbix Zabbix>=5.4.0<=5.4.8
Zabbix Zabbix=6.0.0-alpha1
Zabbix Zabbix=6.0.0-alpha2
Zabbix Zabbix=6.0.0-alpha3
Zabbix Zabbix=6.0.0-alpha4
Zabbix Zabbix=6.0.0-alpha5
and 7 more
CVE-2022-23132
During Zabbix installation from RPM, DAC_OVERRIDE SELinux capability is in use to access PID files in [/var/run/zabbix] folder. In this case, Zabbix Proxy or Server processes can bypass file read, wri...
Zabbix Zabbix>=4.0.0<=4.0.36
Zabbix Zabbix>=5.0.0<=5.0.18
Zabbix Zabbix>=5.4.0<=5.4.8
Zabbix Zabbix=6.0.0-alpha1
Zabbix Zabbix=6.0.0-alpha2
Zabbix Zabbix=6.0.0-alpha3
and 6 more
CVE-2022-23131
Zabbix Frontend Authentication Bypass Vulnerability
Zabbix Zabbix>=5.4.0<=5.4.8
Zabbix Zabbix=6.0.0-alpha1
CVE-2021-27927
In Zabbix from 4.0.x before 4.0.28rc1, 5.0.0alpha1 before 5.0.10rc1, 5.2.x before 5.2.6rc1, and 5.4.0alpha1 before 5.4.0beta2, the CControllerAuthenticationUpdate controller lacks a CSRF protection me...
Zabbix Zabbix>=4.0.0<=4.0.27
Zabbix Zabbix>=5.0.0<=5.0.9
Zabbix Zabbix>=5.2.0<=5.2.3
CVE-2020-11800
Zabbix Server 2.2.x and 3.0.x before 3.0.31, and 3.2 allows remote attackers to execute arbitrary code.
Zabbix Zabbix>=2.2.0<3.0.31
Zabbix Zabbix=3.2.0
openSUSE Backports SLE=15.0-sp1
openSUSE Backports SLE=15.0-sp2
openSUSE Leap=15.1
openSUSE Leap=15.2
and 1 more
CVE-2020-15803
Zabbix before 3.0.32rc1, 4.x before 4.0.22rc1, 4.1.x through 4.4.x before 4.4.10rc1, and 5.x before 5.0.2rc1 allows stored XSS in the URL Widget.
Zabbix Zabbix<=3.0.31
Zabbix Zabbix>=4.0.0<=4.0.21
Zabbix Zabbix>=4.4<=4.4.9
Zabbix Zabbix>=5.0.0<=5.0.1
Zabbix Zabbix=3.0.32-rc1
Zabbix Zabbix=4.0.22
and 12 more
CVE-2013-3738
A File Inclusion vulnerability exists in Zabbix 2.0.6 due to inadequate sanitization of request strings in CGI scripts, which could let a remote malicious user execute arbitrary code.
Zabbix Zabbix=2.0.6
CVE-2013-3628
Zabbix 2.0.9 has an Arbitrary Command Execution Vulnerability
Zabbix Zabbix=2.0.9
CVE-2013-5743
Multiple SQL injection vulnerabilities in Zabbix 1.8.x before 1.8.18rc1, 2.0.x before 2.0.9rc1, and 2.1.x before 2.1.7.
Zabbix Zabbix>=1.8<=1.8.17
Zabbix Zabbix>=2.0.0<=2.0.8
Zabbix Zabbix>=2.1.0<=2.1.7
CVE-2013-7484
Zabbix before 5.0 represents passwords in the users table with unsalted MD5.
Zabbix Zabbix=2.0.8
Zabbix Zabbix=4.4.0-alpha2
CVE-2019-17382
An issue was discovered in zabbix.php?action=dashboard.view&dashboardid=1 in Zabbix through 4.4. An attacker can bypass the login page and access the dashboard page, and then create a Dashboard, Repor...
Zabbix Zabbix<=4.4
CVE-2016-10742
Zabbix before 2.2.21rc1, 3.x before 3.0.13rc1, 3.1.x and 3.2.x before 3.2.10rc1, and 3.3.x and 3.4.x before 3.4.4rc1 allows open redirect via the request parameter.
Zabbix Zabbix<=2.2.20
Zabbix Zabbix>=3.0.0<=3.0.12
Zabbix Zabbix>=3.1.0<=3.2.9
Zabbix Zabbix>=3.3.0<=3.4.3
Debian Debian Linux=8.0

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2024 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203