CVE-2023-32727 – Code execution vulnerability in icmpping
https://notcve.org/view.php?id=CVE-2023-32727
An attacker who has the privilege to configure Zabbix items can use function icmpping() with additional malicious command inside it to execute arbitrary code on the current Zabbix server. Un atacante que tiene el privilegio de configurar elementos de Zabbix puede usar la función icmpping() con un comando malicioso adicional dentro para ejecutar código arbitrario en el servidor Zabbix actual. • https://support.zabbix.com/browse/ZBX-23857 • CWE-20: Improper Input Validation •
CVE-2023-32726 – Possible buffer overread from reading DNS responses
https://notcve.org/view.php?id=CVE-2023-32726
The vulnerability is caused by improper check for check if RDLENGTH does not overflow the buffer in response from DNS server. La vulnerabilidad se debe a una verificación incorrecta de si RDLENGTH no desborda el búfer en respuesta del servidor DNS. • https://lists.debian.org/debian-lts-announce/2024/01/msg00012.html https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BYSYLA7VTHR25CBLYO5ZLEJFGU7HTHQB https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UMFKNV5E4LG2DIZNPRWQ2ENH75H6UEQT https://support.zabbix.com/browse/ZBX-23855 • CWE-754: Improper Check for Unusual or Exceptional Conditions •
CVE-2023-32725 – Leak of zbx_session cookie when using a scheduled report that includes a dashboard with a URL widget.
https://notcve.org/view.php?id=CVE-2023-32725
The website configured in the URL widget will receive a session cookie when testing or executing scheduled reports. The received session cookie can then be used to access the frontend as the particular user. El sitio web configurado en el widget de la URL recibirá una cookie de sesión al probar o ejecutar informes programados. La cookie de sesión recibida se puede utilizar para acceder a la interfaz como usuario particular. • https://support.zabbix.com/browse/ZBX-23854 • CWE-565: Reliance on Cookies without Validation and Integrity Checking •
CVE-2023-32724 – JavaScript engine memory pointers are directly available for Zabbix users for modification
https://notcve.org/view.php?id=CVE-2023-32724
Memory pointer is in a property of the Ducktape object. This leads to multiple vulnerabilities related to direct memory access and manipulation. El puntero de memoria está en una propiedad del objeto Ducktape. Esto conduce a múltiples vulnerabilidades relacionadas con el acceso directo y la manipulación de la memoria. • https://support.zabbix.com/browse/ZBX-23391 • CWE-732: Incorrect Permission Assignment for Critical Resource •
CVE-2023-32723 – Inefficient permission check in class CControllerAuthenticationUpdate
https://notcve.org/view.php?id=CVE-2023-32723
Request to LDAP is sent before user permissions are checked. La solicitud a LDAP se envía antes de que se verifiquen los permisos del usuario. • https://lists.debian.org/debian-lts-announce/2024/01/msg00012.html https://support.zabbix.com/browse/ZBX-23230 • CWE-732: Incorrect Permission Assignment for Critical Resource •