CVSS: 7.8EPSS: 0%CPEs: 3EXPL: 0CVE-2023-29458 – Duktape 2.6 bug crashes JavaScript putting too many values in valstack.
https://notcve.org/view.php?id=CVE-2023-29458
13 Jul 2023 — Duktape is an 3rd-party embeddable JavaScript engine, with a focus on portability and compact footprint. When adding too many values in valstack JavaScript will crash. This issue occurs due to bug in Duktape 2.6 which is an 3rd-party solution that we use. • https://support.zabbix.com/browse/ZBX-22989 • CWE-129: Improper Validation of Array Index •
CVSS: 5.7EPSS: 0%CPEs: 4EXPL: 0CVE-2023-29456 – Inefficient URL schema validation
https://notcve.org/view.php?id=CVE-2023-29456
13 Jul 2023 — URL validation scheme receives input from a user and then parses it to identify its various components. The validation scheme can ensure that all URL components comply with internet standards. • https://lists.debian.org/debian-lts-announce/2023/08/msg00027.html • CWE-20: Improper Input Validation CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.4EPSS: 0%CPEs: 2EXPL: 0CVE-2023-29455 – Reflected XSS in several fields of graph form
https://notcve.org/view.php?id=CVE-2023-29455
13 Jul 2023 — Reflected XSS attacks, also known as non-persistent attacks, occur when a malicious script is reflected off a web application to the victim's browser. The script is activated through a link, which sends a request to a website with a vulnerability that enables execution of malicious scripts. • https://lists.debian.org/debian-lts-announce/2023/08/msg00027.html • CWE-20: Improper Input Validation CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.5EPSS: 0%CPEs: 3EXPL: 0CVE-2023-29454 – Persistent XSS in the user form
https://notcve.org/view.php?id=CVE-2023-29454
13 Jul 2023 — Stored or persistent cross-site scripting (XSS) is a type of XSS where the attacker first sends the payload to the web application, then the application saves the payload (e.g., in a database or server-side text files), and finally, the application unintentionally executes the payload for every victim visiting its web pages. • https://lists.debian.org/debian-lts-announce/2023/08/msg00027.html • CWE-20: Improper Input Validation CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.5EPSS: 0%CPEs: 9EXPL: 0CVE-2023-29452 – Remove possibility to add html into Geomap attribution field
https://notcve.org/view.php?id=CVE-2023-29452
13 Jul 2023 — Currently, geomap configuration (Administration -> General -> Geographical maps) allows using HTML in the field “Attribution text” when selected “Other” Tile provider. • https://support.zabbix.com/browse/ZBX-22981 • CWE-20: Improper Input Validation CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.8EPSS: 0%CPEs: 12EXPL: 0CVE-2023-29451 – Denial of service caused by a bug in the JSON parser
https://notcve.org/view.php?id=CVE-2023-29451
13 Jul 2023 — Specially crafted string can cause a buffer overrun in the JSON parser library leading to a crash of the Zabbix Server or a Zabbix Proxy. • https://lists.debian.org/debian-lts-announce/2023/08/msg00027.html • CWE-20: Improper Input Validation CWE-787: Out-of-bounds Write •
CVSS: 8.5EPSS: 0%CPEs: 4EXPL: 0CVE-2023-29450 – Unauthorized limited filesystem access from preprocessing
https://notcve.org/view.php?id=CVE-2023-29450
13 Jul 2023 — JavaScript pre-processing can be used by the attacker to gain access to the file system (read-only access on behalf of user "zabbix") on the Zabbix Server or Zabbix Proxy, potentially leading to unauthorized access to sensitive data. • https://lists.debian.org/debian-lts-announce/2023/08/msg00027.html • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-552: Files or Directories Accessible to External Parties •
CVSS: 6.1EPSS: 0%CPEs: 13EXPL: 0CVE-2023-29449 – Limited control of resource utilization in JS preprocessing
https://notcve.org/view.php?id=CVE-2023-29449
13 Jul 2023 — JavaScript preprocessing, webhooks and global scripts can cause uncontrolled CPU, memory, and disk I/O utilization. Preprocessing/webhook/global script configuration and testing are only available to Administrative roles (Admin and Superadmin). Administrative privileges should be typically granted to users who need to perform tasks that require more control over the system. The security risk is limited because not all users have this level of access. • https://support.zabbix.com/browse/ZBX-22589 • CWE-400: Uncontrolled Resource Consumption CWE-770: Allocation of Resources Without Limits or Throttling •
CVSS: 5.9EPSS: 6%CPEs: 4EXPL: 0CVE-2022-46768 – File name information disclosure vulnerability in Zabbix Web Service Report Generation
https://notcve.org/view.php?id=CVE-2022-46768
15 Dec 2022 — Arbitrary file read vulnerability exists in Zabbix Web Service Report Generation, which listens on the port 10053. The service does not have proper validation for URL parameters before reading the files. Existe una vulnerabilidad de lectura arbitraria de archivos en la generación de informes del servicio web Zabbix, que escucha en el puerto 10053. El servicio no tiene una validación adecuada de los parámetros de URL antes de leer los archivos. This vulnerability allows remote attackers to disclose sensitive... • https://support.zabbix.com/browse/ZBX-22087 • CWE-20: Improper Input Validation •
CVSS: 10.0EPSS: 1%CPEs: 5EXPL: 1CVE-2022-43516 – Zabbix Agent installer adds “allow all TCP any any” firewall rule
https://notcve.org/view.php?id=CVE-2022-43516
05 Dec 2022 — A Firewall Rule which allows all incoming TCP connections to all programs from any source and to all ports is created in Windows Firewall after Zabbix agent installation (MSI) Una regla de firewall que permite todas las conexiones TCP entrantes a todos los programas desde cualquier fuente y a todos los puertos se crea en el Firewall de Windows después de la instalación del agente Zabbix (MSI). • https://support.zabbix.com/browse/ZBX-22002 • CWE-16: Configuration •