CVSS: 6.1EPSS: 7%CPEs: 18EXPL: 0CVE-2020-15803
https://notcve.org/view.php?id=CVE-2020-15803
Zabbix before 3.0.32rc1, 4.x before 4.0.22rc1, 4.1.x through 4.4.x before 4.4.10rc1, and 5.x before 5.0.2rc1 allows stored XSS in the URL Widget. Zabbix versiones anteriores a 3.0.32rc1, versiones 4.x anteriores a 4.0.22rc1, versiones 4.1.x hasta 4.4.x anteriores a 4.4.10rc1 y versiones 5.x anteriores a 5.0.2rc1, permite un ataque de tipo XSS almacenado en el widget URL • http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00007.html https://lists.debian.org/debian-lts-announce/2020/08/msg00007.html https://lists.debian.org/debian-lts-announce/2021/04/msg00018.html https://lists.debian.org/debian-lts-announce/2023/04/msg00013.html https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2ZHHIUYIVA5GZYLKW6A5G6HRELPOBZFE https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TIRIMOXH6GSBAANDCB3ANLJK4CRLWRXT • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 0%CPEs: 2EXPL: 0CVE-2013-7484
https://notcve.org/view.php?id=CVE-2013-7484
Zabbix before 5.0 represents passwords in the users table with unsalted MD5. Zabbix versiones anteriores a 5.0, representa contraseñas en la tabla de usuarios con MD5 sin sal. • https://lists.debian.org/debian-lts-announce/2023/08/msg00027.html https://support.zabbix.com/browse/ZBX-16551 https://support.zabbix.com/browse/ZBXNEXT-1898 • CWE-326: Inadequate Encryption Strength •
CVSS: 5.3EPSS: 1%CPEs: 5EXPL: 0CVE-2019-15132
https://notcve.org/view.php?id=CVE-2019-15132
Zabbix through 4.4.0alpha1 allows User Enumeration. With login requests, it is possible to enumerate application usernames based on the variability of server responses (e.g., the "Login name or password is incorrect" and "No permissions for system access" messages, or just blocking for a number of seconds). This affects both api_jsonrpc.php and index.php. Zabbix versiones hasta 4.4.0alpha1, permite la enumeración de usuarios. Con las peticiones de inicio de sesión, es posible enumerar los nombres de usuario de la aplicación en función de la variabilidad de las respuestas del servidor (por ejemplo, los mensajes "Login name or password is incorrect" y "No permissions for system access", o solo bloqueando durante varios segundos). • https://lists.debian.org/debian-lts-announce/2021/04/msg00018.html https://lists.debian.org/debian-lts-announce/2023/04/msg00013.html https://support.zabbix.com/browse/ZBX-16532 • CWE-203: Observable Discrepancy •