CVSS: 9.8EPSS: 23%CPEs: 5EXPL: 2CVE-2016-10134 – Zabbix toggle_ids SQL Injection
https://notcve.org/view.php?id=CVE-2016-10134
16 Feb 2017 — SQL injection vulnerability in Zabbix before 2.2.14 and 3.0 before 3.0.4 allows remote attackers to execute arbitrary SQL commands via the toggle_ids array parameter in latest.php. Vulnerabilidad de inyección SQL en Zabbix en versiones anteriores a 2.2.14 y 3.0 en versiones anteriores a 3.0.4 permite a atacantes remotos ejecutar comandos SQL arbitrarios a través del parámetro de array toggle_ids en latest.php. • https://packetstorm.news/files/id/180650 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 9.8EPSS: 0%CPEs: 57EXPL: 0CVE-2014-9450
https://notcve.org/view.php?id=CVE-2014-9450
02 Jan 2015 — Multiple SQL injection vulnerabilities in chart_bar.php in the frontend in Zabbix before 1.8.22, 2.0.x before 2.0.14, and 2.2.x before 2.2.8 allow remote attackers to execute arbitrary SQL commands via the (1) itemid or (2) periods parameter. Múltiples vulnerabilidades de inyección SQL en chart_bar.php en el frontend en Zabbix anterior a 1.8.22, 2.0.x anterior a 2.0.14, y 2.2.x anterior a 2.2.8 permiten a atacantes remotos ejecutar comandos SQL arbitrarios a través del parámetro (1) itemid o (2) periods. • http://secunia.com/advisories/61554 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 6.5EPSS: 0%CPEs: 46EXPL: 0CVE-2014-1682
https://notcve.org/view.php?id=CVE-2014-1682
08 May 2014 — The API in Zabbix before 1.8.20rc1, 2.0.x before 2.0.11rc1, and 2.2.x before 2.2.2rc1 allows remote authenticated users to spoof arbitrary users via the user name in a user.login request. La API en Zabbix anterior a 1.8.20rc1, 2.0.x anterior a 2.0.11rc1 y 2.2.x anterior a 2.2.2rc1 permite a usuarios remotos autenticados falsificar usuarios arbitrarios a través del nombre de usuario en una solicitud user.login. • http://lists.fedoraproject.org/pipermail/package-announce/2014-May/132376.html • CWE-287: Improper Authentication •
CVSS: 9.8EPSS: 0%CPEs: 46EXPL: 0CVE-2014-1685
https://notcve.org/view.php?id=CVE-2014-1685
08 May 2014 — The Frontend in Zabbix before 1.8.20rc2, 2.0.x before 2.0.11rc2, and 2.2.x before 2.2.2rc1 allows remote "Zabbix Admin" users to modify the media of arbitrary users via unspecified vectors. Frontend en Zabbix anterior a 1.8.20rc2, 2.0.x anterior a 2.0.11rc2 y 2.2.x anterior a 2.2.2rc1 permite a usuarios remotos 'de administración de Zabbix' modificar los medios de usuarios arbitrarios a través de vectores no especificados. • http://lists.fedoraproject.org/pipermail/package-announce/2014-May/132376.html •
CVSS: 5.9EPSS: 0%CPEs: 22EXPL: 0CVE-2012-6086
https://notcve.org/view.php?id=CVE-2012-6086
29 Jan 2014 — libs/zbxmedia/eztexting.c in Zabbix 1.8.x before 1.8.18rc1, 2.0.x before 2.0.8rc1, and 2.1.x before 2.1.2 does not properly set the CURLOPT_SSL_VERIFYHOST option for libcurl, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate. libs/zbxmedia/eztexting.c en Zabbix 1.8.x anterior 1.8.18rc1, 2.0.x anterior a 2.0.8rc1, y 2.1.x anterior a 2.1.2 no fija adecuadamente la opción CURLOPT_SSL_VERIFYHOST para libcurl, lo que permite a atacantes man-in-the-middle falsificar ... • http://www.openwall.com/lists/oss-security/2013/01/03/1 • CWE-310: Cryptographic Issues •
CVSS: 9.8EPSS: 0%CPEs: 3EXPL: 1CVE-2013-6824 – Gentoo Linux Security Advisory 201401-26
https://notcve.org/view.php?id=CVE-2013-6824
19 Dec 2013 — Zabbix before 1.8.19rc1, 2.0 before 2.0.10rc1, and 2.2 before 2.2.1rc1 allows remote Zabbix servers and proxies to execute arbitrary commands via a newline in a flexible user parameter. Zabbix anteriores a 1.8.19rc1, 2.0 anteriores a 2.0.10rc1 y 2.2 anteriores a 2.2.1rc1 permite a servidores y proxies Zabbix remotos ejectar comandos de forma arbitraria a través de una newline con unos parámetros de usuarios flexibles. A vulnerability in Zabbix could allow remote attackers to execute arbitrary shell code. Ve... • http://security.gentoo.org/glsa/glsa-201401-26.xml • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 9.1EPSS: 0%CPEs: 6EXPL: 0CVE-2013-1364 – Gentoo Linux Security Advisory 201311-15
https://notcve.org/view.php?id=CVE-2013-1364
25 Nov 2013 — The user.login function in Zabbix before 1.8.16 and 2.x before 2.0.5rc1 allows remote attackers to override LDAP configuration via the cnf parameter. La función user.login en Zabbix anteriores a 1.8.16 y 2.x (anteriores a 2.0.5rc1) permite a atacantes remotos sobreescribir configuraciones LDAP a través del parámetro cnf. Multiple vulnerabilities have been found in Zabbix, possibly leading to SQL injection attacks, Denial of Service, or information disclosure. Versions less than 2.0.9_rc1-r2 are affected. • http://secunia.com/advisories/55824 • CWE-287: Improper Authentication •
CVSS: 9.8EPSS: 96%CPEs: 3EXPL: 2CVE-2013-5743 – Zabbix 2.0.8 - SQL Injection / Remote Code Execution
https://notcve.org/view.php?id=CVE-2013-5743
04 Oct 2013 — Multiple SQL injection vulnerabilities in Zabbix 1.8.x before 1.8.18rc1, 2.0.x before 2.0.9rc1, and 2.1.x before 2.1.7. Múltiples vulnerabilidades de inyección SQL en Zabbix versiones 1.8.x anteriores a 1.8.18rc1, versiones 2.0.x anteriores a 2.0.9rc1 y versiones 2.1.x anteriores a 2.1.7. Zabbix versions 2.0.8 and below suffer from a remote SQL injection vulnerability. • https://packetstorm.news/files/id/123605 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 9.8EPSS: 0%CPEs: 70EXPL: 4CVE-2012-3435 – Zabbix 2.0.1 - Session Extractor
https://notcve.org/view.php?id=CVE-2012-3435
15 Aug 2012 — SQL injection vulnerability in frontends/php/popup_bitem.php in Zabbix 1.8.15rc1 and earlier, and 2.x before 2.0.2rc1, allows remote attackers to execute arbitrary SQL commands via the itemid parameter. Vulnerabilidad de inyección SQL en interfaces/php/popup_bitem.php en Zabbix v1.8.15rc1 y anteriores, y v2.x antes de v2.0.2rc1, permite a atacantes remotos ejecutar comandos SQL de su elección a través del parámetro itemid. Multiple vulnerabilities have been found in Zabbix, possibly leading to SQL injection... • https://www.exploit-db.com/exploits/20087 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 6.1EPSS: 0%CPEs: 84EXPL: 0CVE-2011-4615
https://notcve.org/view.php?id=CVE-2011-4615
29 Dec 2011 — Multiple cross-site scripting (XSS) vulnerabilities in Zabbix before 1.8.10 allow remote attackers to inject arbitrary web script or HTML via the gname parameter (aka host groups name) to (1) hostgroups.php and (2) usergrps.php, the update action to (3) hosts.php and (4) scripts.php, and (5) maintenance.php. Varias vulnerabilidades de ejecución de comandos en sitios cruzados (XSS) en Zabbix anterior a v1.8.10 permite a atacantes remotos inyectar secuencias de comandos web o HTML a través del parámetro gname... • http://lists.fedoraproject.org/pipermail/package-announce/2012-January/071660.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •