9.1

CVE-2024-22120

Exploit
Zabbix server can perform command execution for configured scripts. After command is executed, audit entry is added to "Audit Log". Due to "clientip" field is not sanitized, it is possible to injection SQL into "clientip" and exploit time based blind SQL injection.
Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD
Diese Information steht angemeldeten Benutzern zur Verfügung. Login Login
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
ZabbixZabbix Version >= 6.0.0 < 6.0.28
ZabbixZabbix Version >= 6.4.0 < 6.4.13
ZabbixZabbix Version7.0.0 Updatealpha1
ZabbixZabbix Version7.0.0 Updatealpha2
ZabbixZabbix Version7.0.0 Updatealpha3
ZabbixZabbix Version7.0.0 Updatealpha4
ZabbixZabbix Version7.0.0 Updatealpha5
ZabbixZabbix Version7.0.0 Updatealpha6
ZabbixZabbix Version7.0.0 Updatealpha7
ZabbixZabbix Version7.0.0 Updatealpha8
ZabbixZabbix Version7.0.0 Updatealpha9
ZabbixZabbix Version7.0.0 Updatebeta1
Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 93.12% 0.998
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 8.8 2.8 5.9
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
security@zabbix.com 9.1 2.3 6
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
CWE-20 Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.