CVSS: 6.1EPSS: 0%CPEs: 5EXPL: 1CVE-2016-10742
https://notcve.org/view.php?id=CVE-2016-10742
Zabbix before 2.2.21rc1, 3.x before 3.0.13rc1, 3.1.x and 3.2.x before 3.2.10rc1, and 3.3.x and 3.4.x before 3.4.4rc1 allows open redirect via the request parameter. Zabbix, en versiones anteriores a la 2.2.21rc1, versiones 3.x anteriores a la 3.0.13rc1, versiones 3.1.x y versiones 3.2.x anteriores a la 3.2.10rc1, y en versiones 3.3.x y 3.4.x anteriores a la 3.4.4rc1, permite la redirección abierta mediante el parámetro request. • https://lists.debian.org/debian-lts-announce/2019/03/msg00010.html https://lists.debian.org/debian-lts-announce/2020/11/msg00039.html https://support.zabbix.com/browse/ZBX-10272 https://support.zabbix.com/browse/ZBX-13133 • CWE-601: URL Redirection to Untrusted Site ('Open Redirect') •
CVSS: 9.8EPSS: 4%CPEs: 5EXPL: 1CVE-2016-10134 – Zabbix toggle_ids SQL Injection
https://notcve.org/view.php?id=CVE-2016-10134
SQL injection vulnerability in Zabbix before 2.2.14 and 3.0 before 3.0.4 allows remote attackers to execute arbitrary SQL commands via the toggle_ids array parameter in latest.php. Vulnerabilidad de inyección SQL en Zabbix en versiones anteriores a 2.2.14 y 3.0 en versiones anteriores a 3.0.4 permite a atacantes remotos ejecutar comandos SQL arbitrarios a través del parámetro de array toggle_ids en latest.php. • http://www.debian.org/security/2017/dsa-3802 http://www.openwall.com/lists/oss-security/2017/01/12/4 http://www.openwall.com/lists/oss-security/2017/01/13/4 http://www.securityfocus.com/bid/95423 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=850936 https://code610.blogspot.com/2017/10/zbx-11023-quick-autopsy.html https://support.zabbix.com/browse/ZBX-11023 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 8.1EPSS: 2%CPEs: 33EXPL: 4CVE-2016-4338 – Zabbix Agent 3.0.1 - 'mysql.size' Shell Command Injection
https://notcve.org/view.php?id=CVE-2016-4338
The mysql user parameter configuration script (userparameter_mysql.conf) in the agent in Zabbix before 2.0.18, 2.2.x before 2.2.13, and 3.0.x before 3.0.3, when used with a shell other than bash, allows context-dependent attackers to execute arbitrary code or SQL commands via the mysql.size parameter. La secuencia de comandos de configuración de parámetros de usuario de mysql (userparameter_mysql.conf) en el agente en Zabbix en versiones anteriores a 2.0.18, 2.2.x en versiones anteriores a 2.2.13 y 3.0.x en versiones anteriores a 3.0.3, cuando se utiliza con un shell que no sea bash, permite a atacantes dependientes de contexto ejecutar código arbitrario o comandos SQL a través del parámetro mysql.size. Zabbix Agent version 3.0.1 suffers from a remote shell command injection vulnerability via mysql.size. • https://www.exploit-db.com/exploits/39769 http://packetstormsecurity.com/files/136898/Zabbix-Agent-3.0.1-mysql.size-Shell-Command-Injection.html http://seclists.org/fulldisclosure/2016/May/9 http://www.securityfocus.com/archive/1/538258/100/0/threaded http://www.securityfocus.com/bid/89631 https://security.gentoo.org/glsa/201612-42 https://support.zabbix.com/browse/ZBX-10741 https://www.zabbix.com/documentation/2.0/manual/introduction/whatsnew2018#miscellaneous_improvements https://www&# • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •