9.1

CVE-2024-42330

EPSS 0.23%
Veröffentlicht 27.11.2024 12:15:21
Zuletzt bearbeitet 03.11.2025 22:18:04
Quelle security@zabbix.com
CVE-Watchlists
Login
Unerledigt
Login

JS - Internal strings in HTTP headers

The HttpRequest object allows to get the HTTP headers from the server's response after sending the request. The problem is that the returned strings are created directly from the data returned by the server and are not correctly encoded for JavaScript. This allows to create internal strings that can be used to access hidden properties of objects.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 5

NVD 4 VulnDex Vulnerability Enrichment 2

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Zabbix ≫ Zabbix Version >= 5.0.0 < 5.4.6

Zabbix ≫ Zabbix Version >= 6.0.0 < 6.0.34

Zabbix ≫ Zabbix Version >= 6.4.0 < 6.4.19

Zabbix ≫ Zabbix Version >= 7.0.0 < 7.0.4

VulnDex Vulnerability Enrichment

Diese Information steht angemeldeten Benutzern zur Verfügung.

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.23%	0.457

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
security@zabbix.com	9.1	2.3	6	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

CWE-134 Use of Externally-Controlled Format String

The product uses a function that accepts a format string as an argument, but the format string originates from an external source.

https://support.zabbix.com/browse/ZBX-25626

Vendor Advisory

https://lists.debian.org/debian-lts-announce/2024/12/msg00005.html

https://nvd.nist.gov/vuln/detail/CVE-2024-42330

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2024-42330

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2024-42330

EUVD