9.1

CVE-2024-22120

Exploit

Time Based SQL Injection in Zabbix Server Audit Log

Zabbix server can perform command execution for configured scripts. After command is executed, audit entry is added to "Audit Log". Due to "clientip" field is not sanitized, it is possible to injection SQL into "clientip" and exploit time based blind SQL injection.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
ZabbixZabbix Version >= 6.0.0 < 6.0.28
ZabbixZabbix Version >= 6.4.0 < 6.4.13
ZabbixZabbix Version7.0.0 Updatealpha1
ZabbixZabbix Version7.0.0 Updatealpha2
ZabbixZabbix Version7.0.0 Updatealpha3
ZabbixZabbix Version7.0.0 Updatealpha4
ZabbixZabbix Version7.0.0 Updatealpha5
ZabbixZabbix Version7.0.0 Updatealpha6
ZabbixZabbix Version7.0.0 Updatealpha7
ZabbixZabbix Version7.0.0 Updatealpha8
ZabbixZabbix Version7.0.0 Updatealpha9
ZabbixZabbix Version7.0.0 Updatebeta1
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. Login Login
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 92.12% 0.997
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 8.8 2.8 5.9
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
security@zabbix.com 9.1 2.3 6
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
CWE-20 Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.