Unrated severityNVD Advisory· Published Nov 27, 2024· Updated Dec 4, 2024

SQL injection in user.get API

CVE-2024-42327

Description

A non-admin user account on the Zabbix frontend with the default User role, or with any other role that gives API access can exploit this vulnerability. An SQLi exists in the CUser class in the addRelatedObjects function, this function is being called from the CUser.get function which is available for every user who has API access.

Affected products

Zabbix/Zabbixv5
Range: 6.0.0

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

support.zabbix.com/browse/ZBX-25623mitre

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.073
exploit	0.030
kev	0.000
patch	0.000
ransomware	0.000