Page 12 of 88 results (0.012 seconds)

CVSS: 8.1EPSS: 65%CPEs: 23EXPL: 1

An exploitable code execution vulnerability exists in the trapper command functionality of Zabbix Server 2.4.X. A specially crafted set of packets can cause a command injection resulting in remote code execution. An attacker can make requests from an active Zabbix Proxy to trigger this vulnerability. Se presenta una vulnerabilidad de ejecución de código explotable en la funcionalidad trapper command de Zabbix Server versiones 2.4.X. Un conjunto de paquetes especialmente diseñado puede causar una inyección de comando resultando en la ejecución de código remota. • http://www.debian.org/security/2017/dsa-3937 http://www.securityfocus.com/bid/98083 https://talosintelligence.com/vulnerability_reports/TALOS-2017-0325 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •

CVSS: 9.8EPSS: 4%CPEs: 5EXPL: 1

SQL injection vulnerability in Zabbix before 2.2.14 and 3.0 before 3.0.4 allows remote attackers to execute arbitrary SQL commands via the toggle_ids array parameter in latest.php. Vulnerabilidad de inyección SQL en Zabbix en versiones anteriores a 2.2.14 y 3.0 en versiones anteriores a 3.0.4 permite a atacantes remotos ejecutar comandos SQL arbitrarios a través del parámetro de array toggle_ids en latest.php. • http://www.debian.org/security/2017/dsa-3802 http://www.openwall.com/lists/oss-security/2017/01/12/4 http://www.openwall.com/lists/oss-security/2017/01/13/4 http://www.securityfocus.com/bid/95423 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=850936 https://code610.blogspot.com/2017/10/zbx-11023-quick-autopsy.html https://support.zabbix.com/browse/ZBX-11023 https://seclists.org/fulldisclosure/2016/Aug/60 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •

CVSS: 8.1EPSS: 2%CPEs: 33EXPL: 4

The mysql user parameter configuration script (userparameter_mysql.conf) in the agent in Zabbix before 2.0.18, 2.2.x before 2.2.13, and 3.0.x before 3.0.3, when used with a shell other than bash, allows context-dependent attackers to execute arbitrary code or SQL commands via the mysql.size parameter. La secuencia de comandos de configuración de parámetros de usuario de mysql (userparameter_mysql.conf) en el agente en Zabbix en versiones anteriores a 2.0.18, 2.2.x en versiones anteriores a 2.2.13 y 3.0.x en versiones anteriores a 3.0.3, cuando se utiliza con un shell que no sea bash, permite a atacantes dependientes de contexto ejecutar código arbitrario o comandos SQL a través del parámetro mysql.size. Zabbix Agent version 3.0.1 suffers from a remote shell command injection vulnerability via mysql.size. • https://www.exploit-db.com/exploits/39769 http://packetstormsecurity.com/files/136898/Zabbix-Agent-3.0.1-mysql.size-Shell-Command-Injection.html http://seclists.org/fulldisclosure/2016/May/9 http://www.securityfocus.com/archive/1/538258/100/0/threaded http://www.securityfocus.com/bid/89631 https://security.gentoo.org/glsa/201612-42 https://support.zabbix.com/browse/ZBX-10741 https://www.zabbix.com/documentation/2.0/manual/introduction/whatsnew2018#miscellaneous_improvements https://www&# • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •

CVSS: 7.5EPSS: 0%CPEs: 57EXPL: 0

Multiple SQL injection vulnerabilities in chart_bar.php in the frontend in Zabbix before 1.8.22, 2.0.x before 2.0.14, and 2.2.x before 2.2.8 allow remote attackers to execute arbitrary SQL commands via the (1) itemid or (2) periods parameter. Múltiples vulnerabilidades de inyección SQL en chart_bar.php en el frontend en Zabbix anterior a 1.8.22, 2.0.x anterior a 2.0.14, y 2.2.x anterior a 2.2.8 permiten a atacantes remotos ejecutar comandos SQL arbitrarios a través del parámetro (1) itemid o (2) periods. • http://secunia.com/advisories/61554 http://www.zabbix.com/rn1.8.22.php http://www.zabbix.com/rn2.0.14.php http://www.zabbix.com/rn2.2.8.php https://support.zabbix.com/browse/ZBX-8582 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •

CVSS: 4.0EPSS: 0%CPEs: 46EXPL: 0

The API in Zabbix before 1.8.20rc1, 2.0.x before 2.0.11rc1, and 2.2.x before 2.2.2rc1 allows remote authenticated users to spoof arbitrary users via the user name in a user.login request. La API en Zabbix anterior a 1.8.20rc1, 2.0.x anterior a 2.0.11rc1 y 2.2.x anterior a 2.2.2rc1 permite a usuarios remotos autenticados falsificar usuarios arbitrarios a través del nombre de usuario en una solicitud user.login. • http://lists.fedoraproject.org/pipermail/package-announce/2014-May/132376.html http://lists.fedoraproject.org/pipermail/package-announce/2014-May/132377.html http://www.securityfocus.com/bid/65402 https://support.zabbix.com/browse/ZBX-7703 • CWE-287: Improper Authentication •