rpm package
suse/zabbix&distro=SUSE Linux Enterprise Server 12 SP5
pkg:rpm/suse/zabbix&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP5
Vulnerabilities (11)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2024-22119 | — | < 4.0.12-4.27.1 | 4.0.12-4.27.1 | Feb 9, 2024 | The cause of vulnerability is improper validation of form input field “Name” on Graph page in Items section. | ||
| CVE-2023-29450 | — | < 4.0.12-4.24.1 | 4.0.12-4.24.1 | Jul 13, 2023 | JavaScript pre-processing can be used by the attacker to gain access to the file system (read-only access on behalf of user "zabbix") on the Zabbix Server or Zabbix Proxy, potentially leading to unauthorized access to sensitive data. | ||
| CVE-2022-43515 | — | < 4.0.12-4.21.1 | 4.0.12-4.21.1 | Dec 12, 2022 | Zabbix Frontend provides a feature that allows admins to maintain the installation and ensure that only certain IP addresses can access it. In this way, any user will not be able to access the Zabbix Frontend while it is being maintained and possible sensitive data will be preven | ||
| CVE-2022-35230 | — | < 4.0.12-4.18.1 | 4.0.12-4.18.1 | Jul 6, 2022 | An authenticated user can create a link with reflected Javascript code inside it for the graphs page and send it to other users. The payload can be executed only with a known CSRF token value of the victim, which is changed periodically and is difficult to predict. | ||
| CVE-2022-24919 | — | < 4.0.12-4.15.2 | 4.0.12-4.15.2 | Mar 9, 2022 | An authenticated user can create a link with reflected Javascript code inside it for graphs’ page and send it to other users. The payload can be executed only with a known CSRF token value of the victim, which is changed periodically and is difficult to predict. Malicious code ha | ||
| CVE-2022-24918 | — | < 4.0.12-4.15.2 | 4.0.12-4.15.2 | Mar 9, 2022 | An authenticated user can create a link with reflected Javascript code inside it for items’ page and send it to other users. The payload can be executed only with a known CSRF token value of the victim, which is changed periodically and is difficult to predict. Malicious code has | ||
| CVE-2022-24917 | — | < 4.0.12-4.15.2 | 4.0.12-4.15.2 | Mar 9, 2022 | An authenticated user can create a link with reflected Javascript code inside it for services’ page and send it to other users. The payload can be executed only with a known CSRF token value of the victim, which is changed periodically and is difficult to predict. Malicious code | ||
| CVE-2022-24349 | — | < 4.0.12-4.15.2 | 4.0.12-4.15.2 | Mar 9, 2022 | An authenticated user can create a link with reflected XSS payload for actions’ pages, and send it to other users. Malicious code has access to all the same objects as the rest of the web page and can make arbitrary modifications to the contents of the page being displayed to a v | ||
| CVE-2021-27927 | — | < 4.0.12-4.12.1 | 4.0.12-4.12.1 | Mar 3, 2021 | In Zabbix from 4.0.x before 4.0.28rc1, 5.0.0alpha1 before 5.0.10rc1, 5.2.x before 5.2.6rc1, and 5.4.0alpha1 before 5.4.0beta2, the CControllerAuthenticationUpdate controller lacks a CSRF protection mechanism. The code inside this controller calls diableSIDValidation inside the in | ||
| CVE-2020-15803 | — | < 4.0.12-4.7.1 | 4.0.12-4.7.1 | Jul 17, 2020 | Zabbix before 3.0.32rc1, 4.x before 4.0.22rc1, 4.1.x through 4.4.x before 4.4.10rc1, and 5.x before 5.0.2rc1 allows stored XSS in the URL Widget. | ||
| CVE-2013-7484 | — | < 4.0.12-4.12.1 | 4.0.12-4.12.1 | Nov 30, 2019 | Zabbix before 5.0 represents passwords in the users table with unsalted MD5. |
- CVE-2024-22119Feb 9, 2024affected < 4.0.12-4.27.1fixed 4.0.12-4.27.1
The cause of vulnerability is improper validation of form input field “Name” on Graph page in Items section.
- CVE-2023-29450Jul 13, 2023affected < 4.0.12-4.24.1fixed 4.0.12-4.24.1
JavaScript pre-processing can be used by the attacker to gain access to the file system (read-only access on behalf of user "zabbix") on the Zabbix Server or Zabbix Proxy, potentially leading to unauthorized access to sensitive data.
- CVE-2022-43515Dec 12, 2022affected < 4.0.12-4.21.1fixed 4.0.12-4.21.1
Zabbix Frontend provides a feature that allows admins to maintain the installation and ensure that only certain IP addresses can access it. In this way, any user will not be able to access the Zabbix Frontend while it is being maintained and possible sensitive data will be preven
- CVE-2022-35230Jul 6, 2022affected < 4.0.12-4.18.1fixed 4.0.12-4.18.1
An authenticated user can create a link with reflected Javascript code inside it for the graphs page and send it to other users. The payload can be executed only with a known CSRF token value of the victim, which is changed periodically and is difficult to predict.
- CVE-2022-24919Mar 9, 2022affected < 4.0.12-4.15.2fixed 4.0.12-4.15.2
An authenticated user can create a link with reflected Javascript code inside it for graphs’ page and send it to other users. The payload can be executed only with a known CSRF token value of the victim, which is changed periodically and is difficult to predict. Malicious code ha
- CVE-2022-24918Mar 9, 2022affected < 4.0.12-4.15.2fixed 4.0.12-4.15.2
An authenticated user can create a link with reflected Javascript code inside it for items’ page and send it to other users. The payload can be executed only with a known CSRF token value of the victim, which is changed periodically and is difficult to predict. Malicious code has
- CVE-2022-24917Mar 9, 2022affected < 4.0.12-4.15.2fixed 4.0.12-4.15.2
An authenticated user can create a link with reflected Javascript code inside it for services’ page and send it to other users. The payload can be executed only with a known CSRF token value of the victim, which is changed periodically and is difficult to predict. Malicious code
- CVE-2022-24349Mar 9, 2022affected < 4.0.12-4.15.2fixed 4.0.12-4.15.2
An authenticated user can create a link with reflected XSS payload for actions’ pages, and send it to other users. Malicious code has access to all the same objects as the rest of the web page and can make arbitrary modifications to the contents of the page being displayed to a v
- CVE-2021-27927Mar 3, 2021affected < 4.0.12-4.12.1fixed 4.0.12-4.12.1
In Zabbix from 4.0.x before 4.0.28rc1, 5.0.0alpha1 before 5.0.10rc1, 5.2.x before 5.2.6rc1, and 5.4.0alpha1 before 5.4.0beta2, the CControllerAuthenticationUpdate controller lacks a CSRF protection mechanism. The code inside this controller calls diableSIDValidation inside the in
- CVE-2020-15803Jul 17, 2020affected < 4.0.12-4.7.1fixed 4.0.12-4.7.1
Zabbix before 3.0.32rc1, 4.x before 4.0.22rc1, 4.1.x through 4.4.x before 4.4.10rc1, and 5.x before 5.0.2rc1 allows stored XSS in the URL Widget.
- CVE-2013-7484Nov 30, 2019affected < 4.0.12-4.12.1fixed 4.0.12-4.12.1
Zabbix before 5.0 represents passwords in the users table with unsalted MD5.