CVSS: 9.9EPSS: 0%CPEs: 3EXPL: 0CVE-2024-42327 – SQL injection in user.get API
https://notcve.org/view.php?id=CVE-2024-42327
A non-admin user account on the Zabbix frontend with the default User role, or with any other role that gives API access can exploit this vulnerability. An SQLi exists in the CUser class in the addRelatedObjects function, this function is being called from the CUser.get function which is available for every user who has API access. Una cuenta de usuario que no sea administrador en la interfaz de Zabbix con el rol de usuario predeterminado o con cualquier otro rol que proporcione acceso a la API puede aprovechar esta vulnerabilidad. Existe una SQLi en la clase CUser en la función addRelatedObjects; esta función se llama desde la función CUser.get, que está disponible para todos los usuarios que tienen acceso a la API. • https://support.zabbix.com/browse/ZBX-25623 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 4.4EPSS: 0%CPEs: 1EXPL: 0CVE-2024-42326 – Use after free vulnerability in browser.c
https://notcve.org/view.php?id=CVE-2024-42326
There was discovered a use after free bug in browser.c in the es_browser_get_variant function Se descubrió un error de use after free en browser.c en la función es_browser_get_variant • https://support.zabbix.com/browse/ZBX-25622 • CWE-416: Use After Free •
CVSS: 6.5EPSS: 0%CPEs: 4EXPL: 0CVE-2024-36463
https://notcve.org/view.php?id=CVE-2024-36463
The implementation of atob in "Zabbix JS" allows to create a string with arbitrary content and use it to access internal properties of objects. • https://support.zabbix.com/browse/ZBX-25611 • CWE-767: Access to Critical Private Variable via Public Method •
CVSS: 2.2EPSS: 0%CPEs: 3EXPL: 0CVE-2024-22117 – Value of sysmap_element_url can be de-synchronized causing the map element to crash when new URLs is added
https://notcve.org/view.php?id=CVE-2024-22117
When a URL is added to the map element, it is recorded in the database with sequential IDs. Upon adding a new URL, the system retrieves the last sysmapelementurlid value and increments it by one. However, an issue arises when a user manually changes the sysmapelementurlid value by adding sysmapelementurlid + 1. This action prevents others from adding URLs to the map element. • https://support.zabbix.com/browse/ZBX-25610 • CWE-20: Improper Input Validation •
CVSS: 5.5EPSS: 0%CPEs: 10EXPL: 1CVE-2024-22119 – Stored XSS in graph items select form
https://notcve.org/view.php?id=CVE-2024-22119
The cause of vulnerability is improper validation of form input field “Name” on Graph page in Items section. La causa de la vulnerabilidad es la validación inadecuada del campo de entrada del formulario "Nombre" en la página Gráfico en la sección Elementos. • https://lists.debian.org/debian-lts-announce/2024/04/msg00020.html https://support.zabbix.com/browse/ZBX-24070 • CWE-20: Improper Input Validation CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •