Zabbix : Security Vulnerabilities, CVEs, Published In 2019
An issue was discovered in zabbix.php?action=dashboard.view&dashboardid=1 in Zabbix through 4.4. An attacker can bypass the login page and access the dashboard page, and then create a Dashboard, Report, Screen, or Map without any Username/Password (i.e., anonymously). All created elements (Dashboard/Report/Screen/Map) are accessible by other users and by an admin.
Max CVSS
9.1
EPSS Score
35.52%
Published
2019-10-09
Updated
2023-08-22
Zabbix through 4.4.0alpha1 allows User Enumeration. With login requests, it is possible to enumerate application usernames based on the variability of server responses (e.g., the "Login name or password is incorrect" and "No permissions for system access" messages, or just blocking for a number of seconds). This affects both api_jsonrpc.php and index.php.
Max CVSS
5.3
EPSS Score
0.96%
Published
2019-08-17
Updated
2023-04-12
Zabbix before 2.2.21rc1, 3.x before 3.0.13rc1, 3.1.x and 3.2.x before 3.2.10rc1, and 3.3.x and 3.4.x before 3.4.4rc1 allows open redirect via the request parameter.
Max CVSS
6.1
EPSS Score
0.24%
Published
2019-02-17
Updated
2020-11-21
Zabbix before 5.0 represents passwords in the users table with unsalted MD5.
Max CVSS
7.5
EPSS Score
0.20%
Published
2019-11-30
Updated
2023-08-22
CVE-2013-5743
Public exploit
Multiple SQL injection vulnerabilities in Zabbix 1.8.x before 1.8.18rc1, 2.0.x before 2.0.9rc1, and 2.1.x before 2.1.7.
Max CVSS
9.8
EPSS Score
97.40%
Published
2019-12-11
Updated
2019-12-16
5 vulnerabilities found