VYPR

Zabbix

by Zabbix

Source repositories

CVEs (118)

  • CVE-2023-29452Jul 13, 2023
    risk 0.00cvss epss 0.62

    Currently, geomap configuration (Administration -> General -> Geographical maps) allows using HTML in the field “Attribution text” when selected “Other” Tile provider.

  • CVE-2023-29451Jul 13, 2023
    risk 0.00cvss epss 0.01

    Specially crafted string can cause a buffer overrun in the JSON parser library leading to a crash of the Zabbix Server or a Zabbix Proxy.

  • CVE-2023-29450Jul 13, 2023
    risk 0.00cvss epss 0.01

    JavaScript pre-processing can be used by the attacker to gain access to the file system (read-only access on behalf of user "zabbix") on the Zabbix Server or Zabbix Proxy, potentially leading to unauthorized access to sensitive data.

  • CVE-2023-29449Jul 13, 2023
    risk 0.00cvss epss 0.01

    JavaScript preprocessing, webhooks and global scripts can cause uncontrolled CPU, memory, and disk I/O utilization. Preprocessing/webhook/global script configuration and testing are only available to Administrative roles (Admin and Superadmin). Administrative privileges should…

  • CVE-2022-46768Dec 19, 2022
    risk 0.00cvss epss 0.48

    Arbitrary file read vulnerability exists in Zabbix Web Service Report Generation, which listens on the port 10053. The service does not have proper validation for URL parameters before reading the files.

  • CVE-2022-43515Dec 12, 2022
    risk 0.00cvss epss 0.01

    Zabbix Frontend provides a feature that allows admins to maintain the installation and ensure that only certain IP addresses can access it. In this way, any user will not be able to access the Zabbix Frontend while it is being maintained and possible sensitive data will be…

  • CVE-2022-40626Sep 14, 2022
    risk 0.00cvss epss 0.01

    An unauthenticated user can create a link with reflected Javascript code inside the backurl parameter and send it to other authenticated users in order to create a fake account with predefined login, password and role in Zabbix Frontend.

  • CVE-2022-35230Jul 6, 2022
    risk 0.00cvss epss 0.01

    An authenticated user can create a link with reflected Javascript code inside it for the graphs page and send it to other users. The payload can be executed only with a known CSRF token value of the victim, which is changed periodically and is difficult to predict.

  • CVE-2022-35229Jul 6, 2022
    risk 0.00cvss epss 0.01

    An authenticated user can create a link with reflected Javascript code inside it for the discovery page and send it to other users. The payload can be executed only with a known CSRF token value of the victim, which is changed periodically and is difficult to predict.

  • CVE-2022-24919Mar 9, 2022
    risk 0.00cvss epss 0.01

    An authenticated user can create a link with reflected Javascript code inside it for graphs’ page and send it to other users. The payload can be executed only with a known CSRF token value of the victim, which is changed periodically and is difficult to predict. Malicious code…

  • CVE-2022-24917Mar 9, 2022
    risk 0.00cvss epss 0.01

    An authenticated user can create a link with reflected Javascript code inside it for services’ page and send it to other users. The payload can be executed only with a known CSRF token value of the victim, which is changed periodically and is difficult to predict. Malicious…

  • CVE-2022-24349Mar 9, 2022
    risk 0.00cvss epss 0.01

    An authenticated user can create a link with reflected XSS payload for actions’ pages, and send it to other users. Malicious code has access to all the same objects as the rest of the web page and can make arbitrary modifications to the contents of the page being displayed to…

  • CVE-2021-46088Jan 27, 2022
    risk 0.00cvss epss 0.04

    Zabbix 4.0 LTS, 4.2, 4.4, and 5.0 LTS is vulnerable to Remote Code Execution (RCE). Any user with the "Zabbix Admin" role is able to run custom shell script on the application server in the context of the application user.

  • CVE-2022-23133Jan 13, 2022
    risk 0.00cvss epss 0.01

    An authenticated user can create a hosts group from the configuration with XSS payload, which will be available for other users. When XSS is stored by an authenticated malicious actor and other users try to search for groups during new host creation, the XSS payload will fire…

  • CVE-2022-23132Jan 13, 2022
    risk 0.00cvss epss 0.01

    During Zabbix installation from RPM, DAC_OVERRIDE SELinux capability is in use to access PID files in [/var/run/zabbix] folder. In this case, Zabbix Proxy or Server processes can bypass file read, write and execute permissions check on the file system level

  • CVE-2021-27927Mar 3, 2021
    risk 0.00cvss epss 0.01

    In Zabbix from 4.0.x before 4.0.28rc1, 5.0.0alpha1 before 5.0.10rc1, 5.2.x before 5.2.6rc1, and 5.4.0alpha1 before 5.4.0beta2, the CControllerAuthenticationUpdate controller lacks a CSRF protection mechanism. The code inside this controller calls diableSIDValidation inside the…

  • CVE-2020-15803Jul 17, 2020
    risk 0.00cvss epss 0.32

    Zabbix before 3.0.32rc1, 4.x before 4.0.22rc1, 4.1.x through 4.4.x before 4.4.10rc1, and 5.x before 5.0.2rc1 allows stored XSS in the URL Widget.

  • CVE-2013-7484Nov 30, 2019
    risk 0.00cvss epss 0.01

    Zabbix before 5.0 represents passwords in the users table with unsalted MD5.

  • CVE-2019-15132Aug 17, 2019
    risk 0.00cvss epss 0.02

    Zabbix through 4.4.0alpha1 allows User Enumeration. With login requests, it is possible to enumerate application usernames based on the variability of server responses (e.g., the "Login name or password is incorrect" and "No permissions for system access" messages, or just…

  • CVE-2016-10742Feb 17, 2019
    risk 0.00cvss epss 0.03

    Zabbix before 2.2.21rc1, 3.x before 3.0.13rc1, 3.1.x and 3.2.x before 3.2.10rc1, and 3.3.x and 3.4.x before 3.4.4rc1 allows open redirect via the request parameter.

Page 5 of 6