CVSS: 9.1EPSS: 74%CPEs: 1EXPL: 2CVE-2019-17382
https://notcve.org/view.php?id=CVE-2019-17382
09 Oct 2019 — An issue was discovered in zabbix.php?action=dashboard.view&dashboardid=1 in Zabbix through 4.4. An attacker can bypass the login page and access the dashboard page, and then create a Dashboard, Report, Screen, or Map without any Username/Password (i.e., anonymously). All created elements (Dashboard/Report/Screen/Map) are accessible by other users and by an admin. Se detectó un problema en zabbix.php? • https://github.com/K3ysTr0K3R/CVE-2019-17382-EXPLOIT • CWE-639: Authorization Bypass Through User-Controlled Key •
CVSS: 5.3EPSS: 1%CPEs: 5EXPL: 0CVE-2019-15132
https://notcve.org/view.php?id=CVE-2019-15132
17 Aug 2019 — Zabbix through 4.4.0alpha1 allows User Enumeration. With login requests, it is possible to enumerate application usernames based on the variability of server responses (e.g., the "Login name or password is incorrect" and "No permissions for system access" messages, or just blocking for a number of seconds). This affects both api_jsonrpc.php and index.php. Zabbix versiones hasta 4.4.0alpha1, permite la enumeración de usuarios. Con las peticiones de inicio de sesión, es posible enumerar los nombres de usuario... • https://lists.debian.org/debian-lts-announce/2021/04/msg00018.html • CWE-203: Observable Discrepancy •
CVSS: 6.1EPSS: 0%CPEs: 5EXPL: 1CVE-2016-10742
https://notcve.org/view.php?id=CVE-2016-10742
17 Feb 2019 — Zabbix before 2.2.21rc1, 3.x before 3.0.13rc1, 3.1.x and 3.2.x before 3.2.10rc1, and 3.3.x and 3.4.x before 3.4.4rc1 allows open redirect via the request parameter. Zabbix, en versiones anteriores a la 2.2.21rc1, versiones 3.x anteriores a la 3.0.13rc1, versiones 3.1.x y versiones 3.2.x anteriores a la 3.2.10rc1, y en versiones 3.3.x y 3.4.x anteriores a la 3.4.4rc1, permite la redirección abierta mediante el parámetro request. • https://lists.debian.org/debian-lts-announce/2019/03/msg00010.html • CWE-601: URL Redirection to Untrusted Site ('Open Redirect') •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2018-18289
https://notcve.org/view.php?id=CVE-2018-18289
14 Oct 2018 — The MESILAT Zabbix plugin before 1.1.15 for Atlassian Confluence allows attackers to read arbitrary files. El plugin MESILAT Zabbix en versiones anteriores a la 1.1.15 para Atlassian Confluence permite que los atacantes lean archivos arbitrarios. • https://marketplace.atlassian.com/apps/1215171/zabbix-plugin?hosting=server&tab=versions • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 4.3EPSS: 0%CPEs: 24EXPL: 1CVE-2017-2826
https://notcve.org/view.php?id=CVE-2017-2826
09 Apr 2018 — An information disclosure vulnerability exists in the iConfig proxy request of Zabbix server 2.4.X. A specially crafted iConfig proxy request can cause the Zabbix server to send the configuration information of any Zabbix proxy, resulting in information disclosure. An attacker can make requests from an active Zabbix proxy to trigger this vulnerability. Existe una vulnerabilidad de divulgación de información en la petición del proxy iConfig en las versiones 2.4.X del servidor Zabbix. Una petición del proxy i... • https://lists.debian.org/debian-lts-announce/2019/03/msg00010.html • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 9.8EPSS: 1%CPEs: 43EXPL: 2CVE-2014-3005
https://notcve.org/view.php?id=CVE-2014-3005
01 Feb 2018 — XML external entity (XXE) vulnerability in Zabbix 1.8.x before 1.8.21rc1, 2.0.x before 2.0.13rc1, 2.2.x before 2.2.5rc1, and 2.3.x before 2.3.2 allows remote attackers to read arbitrary files or potentially execute arbitrary code via a crafted DTD in an XML request. Vulnerabilidad XEE (XML External Entity) en Zabbix 1.8.x anteriores a 1.8.21rc1, 2.0.x anteriores a 2.0.13rc1, 2.2.x anteriores a 2.2.5rc1 y 2.3.x anteriores a 2.3.2 permite que los atacantes remotos lean archivos arbitrarios o puedan ejecutar c... • http://lists.fedoraproject.org/pipermail/package-announce/2014-June/134885.html • CWE-611: Improper Restriction of XML External Entity Reference •
CVSS: 7.0EPSS: 0%CPEs: 3EXPL: 1CVE-2017-2825 – Debian Security Advisory 3937-1
https://notcve.org/view.php?id=CVE-2017-2825
12 Aug 2017 — In the trapper functionality of Zabbix Server 2.4.x, specifically crafted trapper packets can pass database logic checks, resulting in database writes. An attacker can set up a Man-in-the-Middle server to alter trapper requests made between an active Zabbix proxy and Server to trigger this vulnerability. En la funcionalidad trapper de Zabbix Server 2.4.x, los paquetes trapper específicamente manipulados pueden pasar comprobaciones de lógica de base de datos, lo que resulta en escrituras en la base de datos.... • http://www.securityfocus.com/bid/98094 •
CVSS: 8.1EPSS: 30%CPEs: 23EXPL: 2CVE-2017-2824 – Debian Security Advisory 3937-1
https://notcve.org/view.php?id=CVE-2017-2824
24 May 2017 — An exploitable code execution vulnerability exists in the trapper command functionality of Zabbix Server 2.4.X. A specially crafted set of packets can cause a command injection resulting in remote code execution. An attacker can make requests from an active Zabbix Proxy to trigger this vulnerability. Se presenta una vulnerabilidad de ejecución de código explotable en la funcionalidad trapper command de Zabbix Server versiones 2.4.X. Un conjunto de paquetes especialmente diseñado puede causar una inyección d... • https://github.com/listenquiet/cve-2017-2824-reverse-shell • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 9.8EPSS: 23%CPEs: 5EXPL: 2CVE-2016-10134 – Zabbix toggle_ids SQL Injection
https://notcve.org/view.php?id=CVE-2016-10134
16 Feb 2017 — SQL injection vulnerability in Zabbix before 2.2.14 and 3.0 before 3.0.4 allows remote attackers to execute arbitrary SQL commands via the toggle_ids array parameter in latest.php. Vulnerabilidad de inyección SQL en Zabbix en versiones anteriores a 2.2.14 y 3.0 en versiones anteriores a 3.0.4 permite a atacantes remotos ejecutar comandos SQL arbitrarios a través del parámetro de array toggle_ids en latest.php. • https://packetstorm.news/files/id/180650 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 8.1EPSS: 2%CPEs: 33EXPL: 5CVE-2016-4338 – Zabbix Agent 3.0.1 - 'mysql.size' Shell Command Injection
https://notcve.org/view.php?id=CVE-2016-4338
03 May 2016 — The mysql user parameter configuration script (userparameter_mysql.conf) in the agent in Zabbix before 2.0.18, 2.2.x before 2.2.13, and 3.0.x before 3.0.3, when used with a shell other than bash, allows context-dependent attackers to execute arbitrary code or SQL commands via the mysql.size parameter. La secuencia de comandos de configuración de parámetros de usuario de mysql (userparameter_mysql.conf) en el agente en Zabbix en versiones anteriores a 2.0.18, 2.2.x en versiones anteriores a 2.2.13 y 3.0.x en... • https://packetstorm.news/files/id/136898 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •