CVSS: 9.1EPSS: 93%CPEs: 2EXPL: 3CVE-2024-22120 – Time Based SQL Injection in Zabbix Server Audit Log
https://notcve.org/view.php?id=CVE-2024-22120
17 May 2024 — Zabbix server can perform command execution for configured scripts. After command is executed, audit entry is added to "Audit Log". Due to "clientip" field is not sanitized, it is possible to injection SQL into "clientip" and exploit time based blind SQL injection. El servidor Zabbix puede realizar la ejecución de comandos para scripts configurados. Después de ejecutar el comando, la entrada de auditoría se agrega al "Registro de auditoría". • https://github.com/W01fh4cker/CVE-2024-22120-RCE • CWE-20: Improper Input Validation •
CVSS: 5.5EPSS: 0%CPEs: 10EXPL: 1CVE-2024-22119 – Stored XSS in graph items select form
https://notcve.org/view.php?id=CVE-2024-22119
09 Feb 2024 — The cause of vulnerability is improper validation of form input field “Name” on Graph page in Items section. La causa de la vulnerabilidad es la validación inadecuada del campo de entrada del formulario "Nombre" en la página Gráfico en la sección Elementos. • https://lists.debian.org/debian-lts-announce/2024/04/msg00020.html • CWE-20: Improper Input Validation CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.1EPSS: 0%CPEs: 6EXPL: 0CVE-2023-32724 – JavaScript engine memory pointers are directly available for Zabbix users for modification
https://notcve.org/view.php?id=CVE-2023-32724
12 Oct 2023 — Memory pointer is in a property of the Ducktape object. This leads to multiple vulnerabilities related to direct memory access and manipulation. El puntero de memoria está en una propiedad del objeto Ducktape. Esto conduce a múltiples vulnerabilidades relacionadas con el acceso directo y la manipulación de la memoria. • https://support.zabbix.com/browse/ZBX-23391 • CWE-732: Incorrect Permission Assignment for Critical Resource •
CVSS: 9.6EPSS: 0%CPEs: 5EXPL: 0CVE-2023-32722 – Stack-buffer Overflow in library module zbxjson
https://notcve.org/view.php?id=CVE-2023-32722
12 Oct 2023 — The zabbix/src/libs/zbxjson module is vulnerable to a buffer overflow when parsing JSON files via zbx_json_open. El módulo zabbix/src/libs/zbxjson es vulnerable a un desbordamiento del búfer al analizar archivos JSON a través de zbx_json_open. • https://support.zabbix.com/browse/ZBX-23390 • CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') CWE-787: Out-of-bounds Write •
CVSS: 7.6EPSS: 0%CPEs: 7EXPL: 0CVE-2023-32721 – Stored XSS in Maps element
https://notcve.org/view.php?id=CVE-2023-32721
12 Oct 2023 — A stored XSS has been found in the Zabbix web application in the Maps element if a URL field is set with spaces before URL. Se ha encontrado Cross-Site Scripting (XSS) almacenado en la aplicación web Zabbix en el elemento Maps si un campo URL está configurado con espacios antes de la URL. • https://lists.debian.org/debian-lts-announce/2024/01/msg00012.html • CWE-20: Improper Input Validation CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •