CVE-2013-3628 – Zabbix - (Authenticated) Remote Command Execution
https://notcve.org/view.php?id=CVE-2013-3628
Zabbix 2.0.9 has an Arbitrary Command Execution Vulnerability Zabbix versión 2.0.9, presenta una Vulnerabilidad de Ejecución de Comandos Arbitraria. • https://www.exploit-db.com/exploits/29321 http://www.exploit-db.com/exploits/29321 http://www.securityfocus.com/bid/63453 https://community.rapid7.com/community/metasploit/blog/2013/10/30/seven-foss-disclosures-part-one https://community.rapid7.com/community/metasploit/blog/2013/10/30/seven-tricks-and-treats https://www.rapid7.com/blog/post/2013/10/30/seven-tricks-and-treats • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') •
CVE-2013-5743 – Zabbix 2.0.8 - SQL Injection / Remote Code Execution
https://notcve.org/view.php?id=CVE-2013-5743
Multiple SQL injection vulnerabilities in Zabbix 1.8.x before 1.8.18rc1, 2.0.x before 2.0.9rc1, and 2.1.x before 2.1.7. Múltiples vulnerabilidades de inyección SQL en Zabbix versiones 1.8.x anteriores a 1.8.18rc1, versiones 2.0.x anteriores a 2.0.9rc1 y versiones 2.1.x anteriores a 2.1.7. • https://www.exploit-db.com/exploits/28972 https://admin.fedoraproject.org/updates/zabbix-1.8.18-1.el6 https://admin.fedoraproject.org/updates/zabbix20-2.0.8-3.el6 https://admin.fedoraproject.org/updates/zabbix20-2.0.9-1.el5 https://support.zabbix.com/browse/ZBX-7091 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVE-2013-5572 – Zabbix 2.0.5 - Cleartext ldap_bind_Password Password Disclosure
https://notcve.org/view.php?id=CVE-2013-5572
Zabbix 2.0.5 allows remote authenticated users to discover the LDAP bind password by leveraging management-console access and reading the ldap_bind_password value in the HTML source code. Zabbix v2.0.5 permite a usuarios autenticados remotamente descubrir la contraseña LDAP bind aprovechando el acceso a la consola de gestión y leyendo el valor ldap_bind_password en el código fuente HTML. • https://www.exploit-db.com/exploits/36157 http://archives.neohapsis.com/archives/fulldisclosure/2013-09/0149.html http://lists.fedoraproject.org/pipermail/package-announce/2014-May/132376.html http://lists.fedoraproject.org/pipermail/package-announce/2014-May/132377.html • CWE-264: Permissions, Privileges, and Access Controls •
CVE-2012-3435 – Zabbix 2.0.1 - Session Extractor
https://notcve.org/view.php?id=CVE-2012-3435
SQL injection vulnerability in frontends/php/popup_bitem.php in Zabbix 1.8.15rc1 and earlier, and 2.x before 2.0.2rc1, allows remote attackers to execute arbitrary SQL commands via the itemid parameter. Vulnerabilidad de inyección SQL en interfaces/php/popup_bitem.php en Zabbix v1.8.15rc1 y anteriores, y v2.x antes de v2.0.2rc1, permite a atacantes remotos ejecutar comandos SQL de su elección a través del parámetro itemid. • https://www.exploit-db.com/exploits/20087 http://git.zabbixzone.com/zabbix2.0/.git/commitdiff/333a3a5542ba8a2c901c24b7bf5440f41f1f4f54 http://osvdb.org/84127 http://secunia.com/advisories/49809 http://secunia.com/advisories/50475 http://www.debian.org/security/2012/dsa-2539 http://www.exploit-db.com/exploits/20087 http://www.openwall.com/lists/oss-security/2012/07/27/6 http://www.openwall.com/lists/oss-security/2012/07/28/3 http://www.securityfocus.com/bid/54661 https • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVE-2011-4615
https://notcve.org/view.php?id=CVE-2011-4615
Multiple cross-site scripting (XSS) vulnerabilities in Zabbix before 1.8.10 allow remote attackers to inject arbitrary web script or HTML via the gname parameter (aka host groups name) to (1) hostgroups.php and (2) usergrps.php, the update action to (3) hosts.php and (4) scripts.php, and (5) maintenance.php. Varias vulnerabilidades de ejecución de comandos en sitios cruzados (XSS) en Zabbix anterior a v1.8.10 permite a atacantes remotos inyectar secuencias de comandos web o HTML a través del parámetro gname (host conocido como nombre de los grupos) a (1) hostgroups.php y usergrps.php (2), la acción de actualización de (3) hosts.php y (4) scripts.php y maintenance.php (5). • http://lists.fedoraproject.org/pipermail/package-announce/2012-January/071660.html http://lists.fedoraproject.org/pipermail/package-announce/2012-January/071687.html http://osvdb.org/77771 http://secunia.com/advisories/47216 http://www.securityfocus.com/bid/51093 http://www.zabbix.com/rn1.8.10.php https://exchange.xforce.ibmcloud.com/vulnerabilities/71855 https://support.zabbix.com/browse/ZBX-4015 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •