Vulnerabilities > Zabbix

DATE CVE VULNERABILITY TITLE RISK
2022-01-13 CVE-2022-23131 Authentication Bypass by Spoofing vulnerability in Zabbix
In the case of instances where the SAML SSO authentication is enabled (non-default), session data can be modified by a malicious actor, because a user login stored in the session was not verified.
network
high complexity
zabbix CWE-290
5.1
2022-01-13 CVE-2022-23132 Incorrect Permission Assignment for Critical Resource vulnerability in multiple products
During Zabbix installation from RPM, DAC_OVERRIDE SELinux capability is in use to access PID files in [/var/run/zabbix] folder.
network
low complexity
zabbix fedoraproject CWE-732
7.3
2022-01-13 CVE-2022-23133 Cross-site Scripting vulnerability in multiple products
An authenticated user can create a hosts group from the configuration with XSS payload, which will be available for other users.
network
low complexity
zabbix fedoraproject CWE-79
5.4
2022-01-13 CVE-2022-23134 Improper Authentication vulnerability in multiple products
After the initial setup process, some steps of setup.php file are reachable not only by super-administrators, but by unauthenticated users as well.
network
low complexity
zabbix fedoraproject debian CWE-287
5.3
2022-01-06 CVE-2022-22704 Missing Initialization of Resource vulnerability in Zabbix Zabbix-Agent2
The zabbix-agent2 package before 5.4.9-r1 for Alpine Linux sometimes allows privilege escalation to root because the design incorrectly expected that systemd would (in effect) determine part of the configuration.
network
low complexity
zabbix CWE-909
critical
9.8
2021-03-03 CVE-2021-27927 Cross-Site Request Forgery (CSRF) vulnerability in Zabbix
In Zabbix from 4.0.x before 4.0.28rc1, 5.0.0alpha1 before 5.0.10rc1, 5.2.x before 5.2.6rc1, and 5.4.0alpha1 before 5.4.0beta2, the CControllerAuthenticationUpdate controller lacks a CSRF protection mechanism.
network
zabbix CWE-352
6.8
2020-10-07 CVE-2020-11800 Zabbix Server 2.2.x and 3.0.x before 3.0.31, and 3.2 allows remote attackers to execute arbitrary code.
network
low complexity
zabbix opensuse debian
7.5
2020-07-17 CVE-2020-15803 Cross-site Scripting vulnerability in multiple products
Zabbix before 3.0.32rc1, 4.x before 4.0.22rc1, 4.1.x through 4.4.x before 4.4.10rc1, and 5.x before 5.0.2rc1 allows stored XSS in the URL Widget.
network
low complexity
zabbix fedoraproject debian opensuse CWE-79
6.1
2020-02-17 CVE-2013-3738 Improper Input Validation vulnerability in Zabbix 2.0.6
A File Inclusion vulnerability exists in Zabbix 2.0.6 due to inadequate sanitization of request strings in CGI scripts, which could let a remote malicious user execute arbitrary code.
network
low complexity
zabbix CWE-20
7.5
2020-02-07 CVE-2013-3628 Injection vulnerability in Zabbix 2.0.9
Zabbix 2.0.9 has an Arbitrary Command Execution Vulnerability
network
low complexity
zabbix CWE-74
6.5