Zabbix : Security Vulnerabilities, CVEs, (Bypass)
JavaScript pre-processing can be used by the attacker to gain access to the file system (read-only access on behalf of user "zabbix") on the Zabbix Server or Zabbix Proxy, potentially leading to unauthorized access to sensitive data.
Max CVSS
8.5
EPSS Score
0.09%
Published
2023-07-13
Updated
2023-08-22
CVE-2022-23134
Known exploited
After the initial setup process, some steps of setup.php file are reachable not only by super-administrators, but by unauthenticated users as well. Malicious actor can pass step checks and potentially change the configuration of Zabbix Frontend.
Max CVSS
5.3
EPSS Score
62.98%
Published
2022-01-13
Updated
2023-06-27
CISA KEV Added
2022-02-22
During Zabbix installation from RPM, DAC_OVERRIDE SELinux capability is in use to access PID files in [/var/run/zabbix] folder. In this case, Zabbix Proxy or Server processes can bypass file read, write and execute permissions check on the file system level
Max CVSS
7.5
EPSS Score
0.10%
Published
2022-01-13
Updated
2022-02-10
The API in Zabbix before 1.8.20rc1, 2.0.x before 2.0.11rc1, and 2.2.x before 2.2.2rc1 allows remote authenticated users to spoof arbitrary users via the user name in a user.login request.
Max CVSS
4.0
EPSS Score
0.17%
Published
2014-05-08
Updated
2014-05-09
The user.login function in Zabbix before 1.8.16 and 2.x before 2.0.5rc1 allows remote attackers to override LDAP configuration via the cnf parameter.
Max CVSS
5.0
EPSS Score
0.71%
Published
2013-12-14
Updated
2013-12-16
5 vulnerabilities found