Page 2 of 11 results (0.003 seconds)

CVSS: 9.8EPSS: 2%CPEs: 7EXPL: 0

Zabbix Server 2.2.x and 3.0.x before 3.0.31, and 3.2 allows remote attackers to execute arbitrary code. Zabbix Server versiones 2.2.x y 3.0.x anteriores a 3.0.31 y 3.2, permite a atacantes remotos ejecutar código arbitrario • http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00007.html https://lists.debian.org/debian-lts-announce/2020/11/msg00039.html https://support.zabbix.com/browse/DEV-1538 https://support.zabbix.com/browse/ZBX-17600 https://support.zabbix.com/browse/ZBXSEC-30 •

CVSS: 6.1EPSS: 4%CPEs: 18EXPL: 0

Zabbix before 3.0.32rc1, 4.x before 4.0.22rc1, 4.1.x through 4.4.x before 4.4.10rc1, and 5.x before 5.0.2rc1 allows stored XSS in the URL Widget. Zabbix versiones anteriores a 3.0.32rc1, versiones 4.x anteriores a 4.0.22rc1, versiones 4.1.x hasta 4.4.x anteriores a 4.4.10rc1 y versiones 5.x anteriores a 5.0.2rc1, permite un ataque de tipo XSS almacenado en el widget URL • http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00007.html https://lists.debian.org/debian-lts-announce/2020/08/msg00007.html https://lists.debian.org/debian-lts-announce/2021/04/msg00018.html https://lists.debian.org/debian-lts-announce/2023/04/msg00013.html https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2ZHHIUYIVA5GZYLKW6A5G6HRELPOBZFE https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TIRIMOXH6GSBAANDCB3ANLJK4CRLWRXT • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 7.5EPSS: 0%CPEs: 2EXPL: 0

Zabbix before 5.0 represents passwords in the users table with unsalted MD5. Zabbix versiones anteriores a 5.0, representa contraseñas en la tabla de usuarios con MD5 sin sal. • https://lists.debian.org/debian-lts-announce/2023/08/msg00027.html https://support.zabbix.com/browse/ZBX-16551 https://support.zabbix.com/browse/ZBXNEXT-1898 • CWE-326: Inadequate Encryption Strength •

CVSS: 9.1EPSS: 35%CPEs: 1EXPL: 2

An issue was discovered in zabbix.php?action=dashboard.view&dashboardid=1 in Zabbix through 4.4. An attacker can bypass the login page and access the dashboard page, and then create a Dashboard, Report, Screen, or Map without any Username/Password (i.e., anonymously). All created elements (Dashboard/Report/Screen/Map) are accessible by other users and by an admin. Se detectó un problema en zabbix.php? • https://github.com/K3ysTr0K3R/CVE-2019-17382-EXPLOIT https://lists.debian.org/debian-lts-announce/2023/08/msg00027.html https://www.exploit-db.com/exploits/47467 • CWE-639: Authorization Bypass Through User-Controlled Key •

CVSS: 5.3EPSS: 1%CPEs: 5EXPL: 0

Zabbix through 4.4.0alpha1 allows User Enumeration. With login requests, it is possible to enumerate application usernames based on the variability of server responses (e.g., the "Login name or password is incorrect" and "No permissions for system access" messages, or just blocking for a number of seconds). This affects both api_jsonrpc.php and index.php. Zabbix versiones hasta 4.4.0alpha1, permite la enumeración de usuarios. Con las peticiones de inicio de sesión, es posible enumerar los nombres de usuario de la aplicación en función de la variabilidad de las respuestas del servidor (por ejemplo, los mensajes "Login name or password is incorrect" y "No permissions for system access", o solo bloqueando durante varios segundos). • https://lists.debian.org/debian-lts-announce/2021/04/msg00018.html https://lists.debian.org/debian-lts-announce/2023/04/msg00013.html https://support.zabbix.com/browse/ZBX-16532 • CWE-203: Observable Discrepancy •