Vulnerabilities > Zabbix
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2022-01-13 | CVE-2022-23131 | Authentication Bypass by Spoofing vulnerability in Zabbix In the case of instances where the SAML SSO authentication is enabled (non-default), session data can be modified by a malicious actor, because a user login stored in the session was not verified. | 5.1 |
| 2022-01-13 | CVE-2022-23132 | Incorrect Permission Assignment for Critical Resource vulnerability in multiple products During Zabbix installation from RPM, DAC_OVERRIDE SELinux capability is in use to access PID files in [/var/run/zabbix] folder. | 7.3 |
| 2022-01-13 | CVE-2022-23133 | Cross-site Scripting vulnerability in multiple products An authenticated user can create a hosts group from the configuration with XSS payload, which will be available for other users. | 5.4 |
| 2022-01-13 | CVE-2022-23134 | Improper Authentication vulnerability in multiple products After the initial setup process, some steps of setup.php file are reachable not only by super-administrators, but by unauthenticated users as well. | 5.3 |
| 2022-01-06 | CVE-2022-22704 | Missing Initialization of Resource vulnerability in Zabbix Zabbix-Agent2 The zabbix-agent2 package before 5.4.9-r1 for Alpine Linux sometimes allows privilege escalation to root because the design incorrectly expected that systemd would (in effect) determine part of the configuration. | 9.8 |
| 2021-03-03 | CVE-2021-27927 | Cross-Site Request Forgery (CSRF) vulnerability in Zabbix In Zabbix from 4.0.x before 4.0.28rc1, 5.0.0alpha1 before 5.0.10rc1, 5.2.x before 5.2.6rc1, and 5.4.0alpha1 before 5.4.0beta2, the CControllerAuthenticationUpdate controller lacks a CSRF protection mechanism. | 6.8 |
| 2020-10-07 | CVE-2020-11800 | Zabbix Server 2.2.x and 3.0.x before 3.0.31, and 3.2 allows remote attackers to execute arbitrary code. | 7.5 |
| 2020-07-17 | CVE-2020-15803 | Cross-site Scripting vulnerability in multiple products Zabbix before 3.0.32rc1, 4.x before 4.0.22rc1, 4.1.x through 4.4.x before 4.4.10rc1, and 5.x before 5.0.2rc1 allows stored XSS in the URL Widget. | 6.1 |
| 2020-02-17 | CVE-2013-3738 | Improper Input Validation vulnerability in Zabbix 2.0.6 A File Inclusion vulnerability exists in Zabbix 2.0.6 due to inadequate sanitization of request strings in CGI scripts, which could let a remote malicious user execute arbitrary code. | 7.5 |
| 2020-02-07 | CVE-2013-3628 | Injection vulnerability in Zabbix 2.0.9 Zabbix 2.0.9 has an Arbitrary Command Execution Vulnerability | 6.5 |