Vulnerabilities > Zabbix > High
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2023-07-13 | CVE-2023-29458 | Improper Validation of Array Index vulnerability in Zabbix 5.0.34/6.0.17/6.4.2 Duktape is an 3rd-party embeddable JavaScript engine, with a focus on portability and compact footprint. | 7.5 |
| 2023-07-13 | CVE-2023-29450 | Files or Directories Accessible to External Parties vulnerability in Zabbix JavaScript pre-processing can be used by the attacker to gain access to the file system (read-only access on behalf of user "zabbix") on the Zabbix Server or Zabbix Proxy, potentially leading to unauthorized access to sensitive data. | 7.5 |
| 2022-01-27 | CVE-2021-46088 | Unspecified vulnerability in Zabbix Zabbix 4.0 LTS, 4.2, 4.4, and 5.0 LTS is vulnerable to Remote Code Execution (RCE). | 7.2 |
| 2022-01-13 | CVE-2022-23132 | Incorrect Permission Assignment for Critical Resource vulnerability in multiple products During Zabbix installation from RPM, DAC_OVERRIDE SELinux capability is in use to access PID files in [/var/run/zabbix] folder. | 7.3 |
| 2021-03-03 | CVE-2021-27927 | Cross-Site Request Forgery (CSRF) vulnerability in Zabbix In Zabbix from 4.0.x before 4.0.28rc1, 5.0.0alpha1 before 5.0.10rc1, 5.2.x before 5.2.6rc1, and 5.4.0alpha1 before 5.4.0beta2, the CControllerAuthenticationUpdate controller lacks a CSRF protection mechanism. | 8.8 |
| 2020-02-07 | CVE-2013-3628 | Injection vulnerability in Zabbix 2.0.9 Zabbix 2.0.9 has an Arbitrary Command Execution Vulnerability | 8.8 |
| 2019-11-30 | CVE-2013-7484 | Inadequate Encryption Strength vulnerability in Zabbix 2.0.8/4.4.0 Zabbix before 5.0 represents passwords in the users table with unsalted MD5. | 7.5 |
| 2018-04-20 | CVE-2017-2825 | In the trapper functionality of Zabbix Server 2.4.x, specifically crafted trapper packets can pass database logic checks, resulting in database writes. | 7.0 |
| 2017-05-24 | CVE-2017-2824 | OS Command Injection vulnerability in Zabbix An exploitable code execution vulnerability exists in the trapper command functionality of Zabbix Server 2.4.X. | 8.1 |
| 2017-01-23 | CVE-2016-4338 | SQL Injection vulnerability in Zabbix The mysql user parameter configuration script (userparameter_mysql.conf) in the agent in Zabbix before 2.0.18, 2.2.x before 2.2.13, and 3.0.x before 3.0.3, when used with a shell other than bash, allows context-dependent attackers to execute arbitrary code or SQL commands via the mysql.size parameter. | 8.1 |