CVSS: 8.8EPSS: 0%CPEs: 3EXPL: 0CVE-2021-27927
https://notcve.org/view.php?id=CVE-2021-27927
In Zabbix from 4.0.x before 4.0.28rc1, 5.0.0alpha1 before 5.0.10rc1, 5.2.x before 5.2.6rc1, and 5.4.0alpha1 before 5.4.0beta2, the CControllerAuthenticationUpdate controller lacks a CSRF protection mechanism. The code inside this controller calls diableSIDValidation inside the init() method. An attacker doesn't have to know Zabbix user login credentials, but has to know the correct Zabbix URL and contact information of an existing user with sufficient privileges. En Zabbix desde las versiones 4.0.x anteriores a 4.0.28rc1, versiones 5.0.0alpha1 anteriores a 5.0.10rc1, versiones 5.2.x anteriores a 5.2.6rc1, y versiones 5.4.0alpha1 anteriores a 5.4.0beta2, el controlador CControllerAuthenticationUpdate carece de un mecanismo de protección CSRF. El código dentro de este controlador llama a diableSIDValidation dentro del método init(). • https://lists.debian.org/debian-lts-announce/2023/04/msg00013.html https://support.zabbix.com/browse/ZBX-18942 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 9.8EPSS: 2%CPEs: 7EXPL: 0CVE-2020-11800
https://notcve.org/view.php?id=CVE-2020-11800
Zabbix Server 2.2.x and 3.0.x before 3.0.31, and 3.2 allows remote attackers to execute arbitrary code. Zabbix Server versiones 2.2.x y 3.0.x anteriores a 3.0.31 y 3.2, permite a atacantes remotos ejecutar código arbitrario • http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00007.html https://lists.debian.org/debian-lts-announce/2020/11/msg00039.html https://support.zabbix.com/browse/DEV-1538 https://support.zabbix.com/browse/ZBX-17600 https://support.zabbix.com/browse/ZBXSEC-30 •
CVSS: 6.1EPSS: 7%CPEs: 18EXPL: 0CVE-2020-15803
https://notcve.org/view.php?id=CVE-2020-15803
Zabbix before 3.0.32rc1, 4.x before 4.0.22rc1, 4.1.x through 4.4.x before 4.4.10rc1, and 5.x before 5.0.2rc1 allows stored XSS in the URL Widget. Zabbix versiones anteriores a 3.0.32rc1, versiones 4.x anteriores a 4.0.22rc1, versiones 4.1.x hasta 4.4.x anteriores a 4.4.10rc1 y versiones 5.x anteriores a 5.0.2rc1, permite un ataque de tipo XSS almacenado en el widget URL • http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00007.html https://lists.debian.org/debian-lts-announce/2020/08/msg00007.html https://lists.debian.org/debian-lts-announce/2021/04/msg00018.html https://lists.debian.org/debian-lts-announce/2023/04/msg00013.html https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2ZHHIUYIVA5GZYLKW6A5G6HRELPOBZFE https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TIRIMOXH6GSBAANDCB3ANLJK4CRLWRXT • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.8EPSS: 1%CPEs: 1EXPL: 1CVE-2013-3738
https://notcve.org/view.php?id=CVE-2013-3738
A File Inclusion vulnerability exists in Zabbix 2.0.6 due to inadequate sanitization of request strings in CGI scripts, which could let a remote malicious user execute arbitrary code. Se presenta una vulnerabilidad de inclusión de archivos en Zabbix versión 2.0.6, debido a un saneamiento inapropiado de las cadenas de petición en los scripts CGI, lo que podría conllevar a un usuario malicioso remoto ejecutar código arbitrario. • http://support.zabbix.com/browse/ZBX-6652 • CWE-20: Improper Input Validation •
CVSS: 7.5EPSS: 0%CPEs: 2EXPL: 0CVE-2013-7484
https://notcve.org/view.php?id=CVE-2013-7484
Zabbix before 5.0 represents passwords in the users table with unsalted MD5. Zabbix versiones anteriores a 5.0, representa contraseñas en la tabla de usuarios con MD5 sin sal. • https://lists.debian.org/debian-lts-announce/2023/08/msg00027.html https://support.zabbix.com/browse/ZBX-16551 https://support.zabbix.com/browse/ZBXNEXT-1898 • CWE-326: Inadequate Encryption Strength •