CVE-2014-3005
https://notcve.org/view.php?id=CVE-2014-3005
XML external entity (XXE) vulnerability in Zabbix 1.8.x before 1.8.21rc1, 2.0.x before 2.0.13rc1, 2.2.x before 2.2.5rc1, and 2.3.x before 2.3.2 allows remote attackers to read arbitrary files or potentially execute arbitrary code via a crafted DTD in an XML request. Vulnerabilidad XEE (XML External Entity) en Zabbix 1.8.x anteriores a 1.8.21rc1, 2.0.x anteriores a 2.0.13rc1, 2.2.x anteriores a 2.2.5rc1 y 2.3.x anteriores a 2.3.2 permite que los atacantes remotos lean archivos arbitrarios o puedan ejecutar código arbitrario mediante un DTD manipulado en una petición XML. • http://lists.fedoraproject.org/pipermail/package-announce/2014-June/134885.html http://lists.fedoraproject.org/pipermail/package-announce/2014-June/134909.html http://seclists.org/fulldisclosure/2014/Jun/87 http://www.securityfocus.com/bid/68075 https://bugzilla.redhat.com/show_bug.cgi?id=1110496 https://support.zabbix.com/browse/ZBX-8151 https://web.archive.org/web/20140622034155/http://www.pnigos.com:80/?p=273 • CWE-611: Improper Restriction of XML External Entity Reference •
CVE-2016-10134 – Zabbix toggle_ids SQL Injection
https://notcve.org/view.php?id=CVE-2016-10134
SQL injection vulnerability in Zabbix before 2.2.14 and 3.0 before 3.0.4 allows remote attackers to execute arbitrary SQL commands via the toggle_ids array parameter in latest.php. Vulnerabilidad de inyección SQL en Zabbix en versiones anteriores a 2.2.14 y 3.0 en versiones anteriores a 3.0.4 permite a atacantes remotos ejecutar comandos SQL arbitrarios a través del parámetro de array toggle_ids en latest.php. • http://www.debian.org/security/2017/dsa-3802 http://www.openwall.com/lists/oss-security/2017/01/12/4 http://www.openwall.com/lists/oss-security/2017/01/13/4 http://www.securityfocus.com/bid/95423 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=850936 https://code610.blogspot.com/2017/10/zbx-11023-quick-autopsy.html https://support.zabbix.com/browse/ZBX-11023 https://seclists.org/fulldisclosure/2016/Aug/60 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVE-2014-9450
https://notcve.org/view.php?id=CVE-2014-9450
Multiple SQL injection vulnerabilities in chart_bar.php in the frontend in Zabbix before 1.8.22, 2.0.x before 2.0.14, and 2.2.x before 2.2.8 allow remote attackers to execute arbitrary SQL commands via the (1) itemid or (2) periods parameter. Múltiples vulnerabilidades de inyección SQL en chart_bar.php en el frontend en Zabbix anterior a 1.8.22, 2.0.x anterior a 2.0.14, y 2.2.x anterior a 2.2.8 permiten a atacantes remotos ejecutar comandos SQL arbitrarios a través del parámetro (1) itemid o (2) periods. • http://secunia.com/advisories/61554 http://www.zabbix.com/rn1.8.22.php http://www.zabbix.com/rn2.0.14.php http://www.zabbix.com/rn2.2.8.php https://support.zabbix.com/browse/ZBX-8582 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVE-2014-1682
https://notcve.org/view.php?id=CVE-2014-1682
The API in Zabbix before 1.8.20rc1, 2.0.x before 2.0.11rc1, and 2.2.x before 2.2.2rc1 allows remote authenticated users to spoof arbitrary users via the user name in a user.login request. La API en Zabbix anterior a 1.8.20rc1, 2.0.x anterior a 2.0.11rc1 y 2.2.x anterior a 2.2.2rc1 permite a usuarios remotos autenticados falsificar usuarios arbitrarios a través del nombre de usuario en una solicitud user.login. • http://lists.fedoraproject.org/pipermail/package-announce/2014-May/132376.html http://lists.fedoraproject.org/pipermail/package-announce/2014-May/132377.html http://www.securityfocus.com/bid/65402 https://support.zabbix.com/browse/ZBX-7703 • CWE-287: Improper Authentication •
CVE-2014-1685
https://notcve.org/view.php?id=CVE-2014-1685
The Frontend in Zabbix before 1.8.20rc2, 2.0.x before 2.0.11rc2, and 2.2.x before 2.2.2rc1 allows remote "Zabbix Admin" users to modify the media of arbitrary users via unspecified vectors. Frontend en Zabbix anterior a 1.8.20rc2, 2.0.x anterior a 2.0.11rc2 y 2.2.x anterior a 2.2.2rc1 permite a usuarios remotos 'de administración de Zabbix' modificar los medios de usuarios arbitrarios a través de vectores no especificados. • http://lists.fedoraproject.org/pipermail/package-announce/2014-May/132376.html http://lists.fedoraproject.org/pipermail/package-announce/2014-May/132377.html https://support.zabbix.com/browse/ZBX-7693 •