Zabbix

Zabbix

101 Schwachstellen gefunden.

Hinweis: Diese Liste kann unvollständig sein. Daten werden ohne Gewähr im Ursprungsformat bereitgestellt.
6.1

CVE-2022-40626

  • EPSS 1.87%
  • Veröffentlicht 14.09.2022 11:15:53
  • Zuletzt bearbeitet 21.11.2024 07:21:44

An unauthenticated user can create a link with reflected Javascript code inside the backurl parameter and send it to other authenticated users in order to create a fake account with predefined login, password and role in Zabbix Frontend.

5.4

CVE-2022-35230

  • EPSS 0.49%
  • Veröffentlicht 06.07.2022 11:15:09
  • Zuletzt bearbeitet 03.11.2025 22:15:59

An authenticated user can create a link with reflected Javascript code inside it for the graphs page and send it to other users. The payload can be executed only with a known CSRF token value of the victim, which is changed periodically and is diffic...

5.4

CVE-2022-35229

  • EPSS 0.55%
  • Veröffentlicht 06.07.2022 11:15:08
  • Zuletzt bearbeitet 03.11.2025 22:15:58

An authenticated user can create a link with reflected Javascript code inside it for the discovery page and send it to other users. The payload can be executed only with a known CSRF token value of the victim, which is changed periodically and is dif...

7.2

CVE-2021-46088

Exploit
  • EPSS 2.97%
  • Veröffentlicht 27.01.2022 16:15:07
  • Zuletzt bearbeitet 21.11.2024 06:33:37

Zabbix 4.0 LTS, 4.2, 4.4, and 5.0 LTS is vulnerable to Remote Code Execution (RCE). Any user with the "Zabbix Admin" role is able to run custom shell script on the application server in the context of the application user.

9.8

CVE-2022-23131

Warnung
  • EPSS 94.3%
  • Veröffentlicht 13.01.2022 16:15:08
  • Zuletzt bearbeitet 30.10.2025 20:10:41

In the case of instances where the SAML SSO authentication is enabled (non-default), session data can be modified by a malicious actor, because a user login stored in the session was not verified. Malicious unauthenticated actor may exploit this issu...

7.5

CVE-2022-23132

  • EPSS 0.14%
  • Veröffentlicht 13.01.2022 16:15:08
  • Zuletzt bearbeitet 03.11.2025 22:15:55

During Zabbix installation from RPM, DAC_OVERRIDE SELinux capability is in use to access PID files in [/var/run/zabbix] folder. In this case, Zabbix Proxy or Server processes can bypass file read, write and execute permissions check on the file syste...

5.4

CVE-2022-23133

  • EPSS 0.9%
  • Veröffentlicht 13.01.2022 16:15:08
  • Zuletzt bearbeitet 03.11.2025 22:15:55

An authenticated user can create a hosts group from the configuration with XSS payload, which will be available for other users. When XSS is stored by an authenticated malicious actor and other users try to search for groups during new host creation,...

5.3

CVE-2022-23134

Warnung
  • EPSS 93.1%
  • Veröffentlicht 13.01.2022 16:15:08
  • Zuletzt bearbeitet 30.10.2025 20:10:35

After the initial setup process, some steps of setup.php file are reachable not only by super-administrators, but by unauthenticated users as well. Malicious actor can pass step checks and potentially change the configuration of Zabbix Frontend.

8.8

CVE-2021-27927

  • EPSS 0.15%
  • Veröffentlicht 03.03.2021 17:15:12
  • Zuletzt bearbeitet 21.11.2024 05:58:50

In Zabbix from 4.0.x before 4.0.28rc1, 5.0.0alpha1 before 5.0.10rc1, 5.2.x before 5.2.6rc1, and 5.4.0alpha1 before 5.4.0beta2, the CControllerAuthenticationUpdate controller lacks a CSRF protection mechanism. The code inside this controller calls dia...

9.8

CVE-2020-11800

  • EPSS 47.88%
  • Veröffentlicht 07.10.2020 16:15:15
  • Zuletzt bearbeitet 21.11.2024 04:58:39

Zabbix Server 2.2.x and 3.0.x before 3.0.31, and 3.2 allows remote attackers to execute arbitrary code.