Zabbix Security Advisories

Though the development process is designed to eliminate any possibility of security issues, it is still possible that new vulnerabilities might be discovered. Zabbix treats security issues in maintained versions as high priority.

How to report a security issue?
Versions
Zabbix Component
Severity
Year
66 results found in 4ms
Sort by
  1. CVE/Advisory number:CVE-2024-42325
    Synopsis:Excessive information returned by user.get
    Description:user.get returns all users that share common group with the calling user. This includes media and other information, such as login attempts, etc.
    Known Attack Vectors:An authenticated Zabbix API user with low privileges could call user.get.
    Resolution:To remediate this vulnerability, apply the updates listed in the 'Fixed Version' section to appropriate products.
    Workarounds:-
    Acknowledgements:
    ComponentSeverityAffected versionFix versionTickets
    API2.1 low
    5.0.0-5.0.45
    6.0.0-6.0.37
    7.0.0-7.0.8
    7.2.0-7.2.2
    5.0.46rc1
    6.0.38rc1
    7.0.9rc1
    7.2.3rc1

    Excessive information returned by user.get

    CVE ID: CVE-2024-42325
    Component: API
    Severity
    2.1 low
    Affected versions
    5.0.0-5.0.45
    6.0.0-6.0.37
    7.0.0-7.0.8
    7.2.0-7.2.2
    Fixed versions
    5.0.46rc1
    6.0.38rc1
    7.0.9rc1
    7.2.3rc1
    2025-04-02
  2. CVE/Advisory number:CVE-2024-36465
    Synopsis:SQL injection in Zabbix API
    Description:A low privilege (regular) Zabbix user with API access can use SQL injection vulnerability in include/classes/api/CApiService.php to execute arbitrary SQL commands via the groupBy parameter.
    Known Attack Vectors:An authenticated Zabbix API user could inject the malicious SQL.
    Resolution:To remediate this vulnerability, apply the updates listed in the 'Fixed Version' section to appropriate products.
    Workarounds:-
    Acknowledgements:Zabbix wants to thank cynau1t for submitting this report on the HackerOne bug bounty platform.
    ComponentSeverityAffected versionFix versionTickets
    API8.6 high
    7.0.0-7.0.7
    7.2.0-7.2.1
    7.0.8rc2
    7.2.2rc1

    SQL injection in Zabbix API

    CVE ID: CVE-2024-36465
    Component: API
    Severity
    8.6 high
    Affected versions
    7.0.0-7.0.7
    7.2.0-7.2.1
    Fixed versions
    7.0.8rc2
    7.2.2rc1
    2025-04-02
  3. CVE/Advisory number:CVE-2024-36469
    Synopsis:User enumeration via timing attack
    Description:Execution time for an unsuccessful login differs when using a non-existing username compared to using an existing one.
    Known Attack Vectors:Someone with an access to Zabbix frontend or Zabbix API could time unsuccessful logins.
    Resolution:To remediate this vulnerability, apply the updates listed in the 'Fixed Version' section to appropriate products.
    Workarounds:-
    Acknowledgements:Zabbix wants to thank Jens Just Iversen (jensji) for submitting this report on the HackerOne bug bounty platform.
    ComponentSeverityAffected versionFix versionTickets
    Frontend, API2.3 low
    5.0.0-5.0.45
    6.0.0-6.0.37
    7.0.0-7.0.8
    7.2.0-7.2.2
    5.0.46rc1
    6.0.38rc1
    7.0.9rc1
    7.2.3rc1

    User enumeration via timing attack

    CVE ID: CVE-2024-36469
    Component: Frontend, API
    Severity
    2.3 low
    Affected versions
    5.0.0-5.0.45
    6.0.0-6.0.37
    7.0.0-7.0.8
    7.2.0-7.2.2
    Fixed versions
    5.0.46rc1
    6.0.38rc1
    7.0.9rc1
    7.2.3rc1
    2025-04-02
  4. CVE/Advisory number:CVE-2024-45699
    Synopsis:Reflected XSS vulnerability
    Description:The endpoint /zabbix.php?action=export.valuemaps suffers from a Cross-Site Scripting vulnerability via the backurl parameter. This is caused by the reflection of user-supplied data without appropriate HTML escaping or output encoding. As a result, a JavaScript payload may be injected into the above endpoint causing it to be executed within the context of the victim's browser.
    Known Attack Vectors:A malicious website could be hosted on the internet, but exploitation requires a logged in Zabbix user clicking on a malicious link.
    Resolution:To remediate this vulnerability, apply the updates listed in the 'Fixed Version' section to appropriate products.
    Workarounds:-
    Acknowledgements:Zabbix wants to thank ginoah for submitting this report on the HackerOne bug bounty platform.
    ComponentSeverityAffected versionFix versionTickets
    Frontend7.5 high
    6.0.0-6.0.36
    6.4.0-6.4.20
    7.0.0-7.0.6
    6.0.37rc1
    6.4.21rc1
    7.0.7rc1

    Reflected XSS vulnerability

    CVE ID: CVE-2024-45699
    Component: Frontend
    Severity
    7.5 high
    Affected versions
    6.0.0-6.0.36
    6.4.0-6.4.20
    7.0.0-7.0.6
    Fixed versions
    6.0.37rc1
    6.4.21rc1
    7.0.7rc1
    2025-04-02
  5. CVE/Advisory number:CVE-2024-45700
    Synopsis:DoS vulnerability due to uncontrolled resource exhaustion
    Description:Zabbix server is vulnerable to a DoS vulnerability due to uncontrolled resource exhaustion. An attacker can send specially crafted requests to the server, which will cause the server to allocate an excessive amount of memory and perform CPU-intensive decompression operations, ultimately leading to a service crash.
    Known Attack Vectors:A malicious request could be sent by anyone who has access to Zabbix server/proxy ports.
    Resolution:To remediate this vulnerability, apply the updates listed in the 'Fixed Version' section to appropriate products.
    Workarounds:-
    Acknowledgements:Zabbix wants to thank kelsier for submitting this report on the HackerOne bug bounty platform.
    ComponentSeverityAffected versionFix versionTickets
    Server, Proxy6 medium
    6.0.0-6.0.38
    7.0.0-7.0.9
    7.2.0-7.2.3
    6.0.39rc1
    7.0.10rc1
    7.2.4rc1
  6. CVE/Advisory number:CVE-2024-42333
    Synopsis:Heap buffer over-read
    Description:The researcher is showing that it is possible to leak a small amount of Zabbix Server memory using an out of bounds read in src/libs/zbxmedia/email.c
    Known Attack Vectors:This vulnerability may be used to disclose very limited memory contents or cause denial of service. Only a Super Admin user can trigger this vulnerability due to fact that super admin user can send test email.
    Resolution:To remediate this vulnerability, apply the updates listed in the 'Fixed Version' section to appropriate products.
    Workarounds:-
    Acknowledgements:Zabbix wants to thank chamal for submitting this report on the HackerOne bug bounty platform.
    ComponentSeverityAffected versionFix versionTickets
    Server2.7 low
    6.0.0-6.0.33
    6.4.0-6.4.18
    7.0.0-7.0.3
    6.0.34rc1
    6.4.19rc1
    7.0.4rc1

    Heap buffer over-read

    CVE ID: CVE-2024-42333
    Component: Server
    Severity
    2.7 low
    Affected versions
    6.0.0-6.0.33
    6.4.0-6.4.18
    7.0.0-7.0.3
    Fixed versions
    6.0.34rc1
    6.4.19rc1
    7.0.4rc1
    2024-11-29
  7. CVE/Advisory number:CVE-2024-42332
    Synopsis:New line injection in Zabbix SNMP traps
    Description:The researcher is showing that due to the way the SNMP trap log is parsed, an attacker can craft an SNMP trap with additional lines of information and have forged data show in the Zabbix UI. This attack requires SNMP auth to be off and/or the attacker to know the community/auth details. The attack requires an SNMP item to be configured as text on the target host.
    Known Attack Vectors:An attacker can perform log tampering (forging).
    Resolution:To remediate this vulnerability, apply the updates listed in the 'Fixed Version' section to appropriate products.
    Workarounds:-
    Acknowledgements:Zabbix wants to thank chamal for submitting this report on the HackerOne bug bounty platform.
    ComponentSeverityAffected versionFix versionTickets
    Server3.7 low
    6.0.0-6.0.34
    6.4.0-6.4.19
    7.0.0-7.0.2
    6.0.35rc1
    6.4.20rc1
    7.0.3rc1

    New line injection in Zabbix SNMP traps

    CVE ID: CVE-2024-42332
    Component: Server
    Severity
    3.7 low
    Affected versions
    6.0.0-6.0.34
    6.4.0-6.4.19
    7.0.0-7.0.2
    Fixed versions
    6.0.35rc1
    6.4.20rc1
    7.0.3rc1
    2024-11-29
  8. CVE/Advisory number:CVE-2024-42331
    Synopsis:Use after free in browser_push_error
    Description:In the src/libs/zbxembed/browser.c file, the es_browser_ctor method retrieves a heap pointer from the Duktape JavaScript engine. This heap pointer is subsequently utilized by the browser_push_error method in the src/libs/zbxembed/browser_error.c file. A use-after-free bug can occur at this stage if the wd->browser heap pointer is freed by garbage collection.
    Known Attack Vectors:This vulnerability could potentially lead to the denial of service.
    Resolution:To remediate this vulnerability, apply the updates listed in the 'Fixed Version' section to appropriate products.
    Workarounds:-
    Acknowledgements:Zabbix wants to thank chamal for submitting this report on the HackerOne bug bounty platform.
    ComponentSeverityAffected versionFix versionTickets
    Server3.3 low
    7.0.0-7.0.3
    7.0.4rc1
  9. CVE/Advisory number:CVE-2024-42330
    Synopsis:JS - Internal strings in HTTP headers
    Description:The HttpRequest object allows to get the HTTP headers from the server's response after sending the request. The problem is that the returned strings are created directly from the data returned by the server and are not correctly encoded for JavaScript. This allows to create internal strings that can be used to access hidden properties of objects.
    Known Attack Vectors:This vulnerability could potentially lead to arbitrary code execution and denial of service.
    Resolution:To remediate this vulnerability, apply the updates listed in the 'Fixed Version' section to appropriate products.
    Workarounds:-
    Acknowledgements:Zabbix wants to thank zhutyra for submitting this report on the HackerOne bug bounty platform.
    ComponentSeverityAffected versionFix versionTickets
    Server9.1 critical
    5.0.0-5.0.45
    6.0.0-6.0.33
    6.4.0-6.4.18
    7.0.0-7.0.3
    5.0.46rc1
    6.0.34rc1
    6.4.19rc1
    7.0.4rc1

    JS - Internal strings in HTTP headers

    CVE ID: CVE-2024-42330
    Component: Server
    Severity
    9.1 critical
    Affected versions
    5.0.0-5.0.45
    6.0.0-6.0.33
    6.4.0-6.4.18
    7.0.0-7.0.3
    Fixed versions
    5.0.46rc1
    6.0.34rc1
    6.4.19rc1
    7.0.4rc1
    2024-11-29
  10. CVE/Advisory number:CVE-2024-42329
    Synopsis:JS - Crash on unexpected HTTP server response
    Description:The webdriver for the Browser object expects an error object to be initialized when the webdriver_session_query function fails. But this function can fail for various reasons without an error description and then the wd->error will be NULL and trying to read from it will result in a crash.
    Known Attack Vectors:This vulnerability could lead to denial of service.
    Resolution:To remediate this vulnerability, apply the updates listed in the 'Fixed Version' section to appropriate products.
    Workarounds:-
    Acknowledgements:Zabbix wants to thank zhutyra for submitting this report on the HackerOne bug bounty platform.
    ComponentSeverityAffected versionFix versionTickets
    Server3.3 low
    7.0.0-7.0.3
    7.0.4rc1
  11. CVE/Advisory number:CVE-2024-42328
    Synopsis:JS - Crash on empty HTTP server response
    Description:When the webdriver for the Browser object downloads data from a HTTP server, the data pointer is set to NULL and is allocated only in curl_write_cb when receiving data. If the server's response is an empty document, then wd->data in the code below will remain NULL and an attempt to read from it will result in a crash.
    Known Attack Vectors:This vulnerability could lead to denial of service.
    Resolution:To remediate this vulnerability, apply the updates listed in the 'Fixed Version' section to appropriate products.
    Workarounds:-
    Acknowledgements:Zabbix wants to thank zhutyra for submitting this report on the HackerOne bug bounty platform.
    ComponentSeverityAffected versionFix versionTickets
    Server3.3 low
    7.0.0-7.0.3
    7.0.4rc1
  12. CVE/Advisory number:CVE-2024-42327
    Synopsis:SQL injection in user.get API
    Description:A non-admin user account on the Zabbix frontend with the default User role, or with any other role that gives API access can exploit this vulnerability. An SQLi exists in the CUser class in the addRelatedObjects function, this function is being called from the CUser.get function which is available for every user who has API access.
    Known Attack Vectors:There is possibility for privilege escalation using this vulnerability.
    Resolution:To remediate this vulnerability, apply the updates listed in the 'Fixed Version' section to appropriate products.
    Workarounds:-
    Acknowledgements:Zabbix wants to thank Márk Rákóczi (reeeeeeeeeeee) for submitting this report on the HackerOne bug bounty platform.
    ComponentSeverityAffected versionFix versionTickets
    API9.9 critical
    6.0.0-6.0.31
    6.4.0-6.4.16
    7.0.0
    6.0.32rc1
    6.4.17rc1
    7.0.1rc1

    SQL injection in user.get API

    CVE ID: CVE-2024-42327
    Component: API
    Severity
    9.9 critical
    Affected versions
    6.0.0-6.0.31
    6.4.0-6.4.16
    7.0.0
    Fixed versions
    6.0.32rc1
    6.4.17rc1
    7.0.1rc1
    2024-11-29
  13. CVE/Advisory number:CVE-2024-42326
    Synopsis:Use after free vulnerability in browser.c
    Description:There was discovered a use after free bug in browser.c in the es_browser_get_variant function
    Known Attack Vectors:This only appears to crash the zabbix_js process, however since this is a use after free bug it may lead to further exploitation and denial of service
    Resolution:To remediate this vulnerability, apply the updates listed in the 'Fixed Version' section to appropriate products.
    Workarounds:-
    Acknowledgements:Zabbix wants to thank chamal for submitting this report on the HackerOne bug bounty platform.
    ComponentSeverityAffected versionFix versionTickets
    Server4.4 medium
    7.0.0-7.0.3
    7.0.4rc1
  14. CVE/Advisory number:CVE-2024-36468
    Synopsis:Stack buffer overflow in zbx_snmp_cache_handle_engineid
    Description:The reported vulnerability is a stack buffer overflow in the zbx_snmp_cache_handle_engineid function within the Zabbix server/proxy code. This issue occurs when copying data from session->securityEngineID to local_record.engineid without proper bounds checking.
    Known Attack Vectors:This vulnerability could potentially lead to the denial of service.
    Resolution:To remediate this vulnerability, apply the updates listed in the 'Fixed Version' section to appropriate products.
    Workarounds:-
    Acknowledgements:Zabbix wants to thank chamal for submitting this report on the HackerOne bug bounty platform.
    ComponentSeverityAffected versionFix versionTickets
    Server, Proxy3 low
    7.0.0-7.0.2
    7.0.3rc1
  15. CVE/Advisory number:CVE-2024-36467
    Synopsis:Authentication privilege escalation via user groups due to missing authorization checks
    Description:An authenticated user with API access (e.g.: user with default User role), more specifically a user with access to the user.update API endpoint is enough to be able to add themselves to any group (e.g.: Zabbix Administrators), except to groups that are disabled or having restricted GUI access.
    Known Attack Vectors:A user can use the API to add themselves to any non-disabled group. Potentially if the Zabbix configuration has permissions assigned to groups this could lead to privilege escalation.
    Resolution:To remediate this vulnerability, apply the updates listed in the 'Fixed Version' section to appropriate products.
    Workarounds:-
    Acknowledgements:Zabbix wants to thank Márk Rákóczi for submitting this report on the HackerOne bug bounty platform.
    ComponentSeverityAffected versionFix versionTickets
    API7.5 high
    5.0.0-5.0.42
    6.0.0-6.0.32
    6.4.0-6.4.17
    7.0.0-7.0.1
    5.0.43rc1
    6.0.33rc1
    6.4.18rc1
    7.0.2rc1
  16. CVE/Advisory number:CVE-2024-36466
    Synopsis:Unauthenticated Zabbix frontend takeover when SSO is being used
    Description:A bug in the code allows an attacker to sign a forged zbx_session cookie, which then allows them to sign in with admin permissions.
    Known Attack Vectors:Session credentials could be falsified through forging
    Resolution:To remediate this vulnerability, apply the updates listed in the 'Fixed Version' section to appropriate products.
    Workarounds:Disabling the SSO authentication method
    Acknowledgements:Zabbix wants to thank Márk Rákóczi (reeeeeeeeeeee) for submitting this report on the HackerOne bug bounty platform.
    ComponentSeverityAffected versionFix versionTickets
    Frontend8.8 high
    6.0.0-6.0.31
    6.4.0-6.4.17
    7.0.0
    6.0.32rc1
    6.4.17rc1
    7.0.1rc1
  17. CVE/Advisory number:CVE-2024-36464
    Synopsis:Media Types: Office365, SMTP passwords are unencrypted and visible in plaintext when exported
    Description:When exporting media types, the password is exported in the YAML in plain text. This appears to be a best practices type issue and may have no actual impact. The user would need to have permissions to access the media types and therefore would be expected to have access to these passwords.
    Known Attack Vectors:SMTP password is visible in plain text when exported, malicious user can abuse this to send mails using the leaked smtp credentials.
    Resolution:To remediate this vulnerability, apply the updates listed in the 'Fixed Version' section to appropriate products.
    Workarounds:-
    Acknowledgements:Zabbix wants to thank Jayateertha G for submitting this report on the HackerOne bug bounty platform.
    ComponentSeverityAffected versionFix versionTickets
    Frontend2.7 low
    6.0.0-6.0.29
    6.4.0-6.4.15
    6.0.30rc1
    6.4.16rc1
  18. CVE/Advisory number:CVE-2024-36463
    Synopsis:JavaScript function "atob" allows to create private strings
    Description:The implementation of atob in "Zabbix JS" allows to create a string with arbitrary content and use it to access internal properties of objects.
    Known Attack Vectors:Successful exploit could result in arbitrary code execution.
    Resolution:To remediate this vulnerability, apply the updates listed in the 'Fixed Version' section to appropriate products.
    Workarounds:-
    Acknowledgements:Zabbix wants to thank zhutyra for submitting this report on the HackerOne bug bounty platform.
    ComponentSeverityAffected versionFix versionTickets
    Proxy, Server6.5 medium
    5.0.0-5.0.42
    6.0.0-6.0.32
    6.4.0-6.4.17
    7.0.0-7.0.2
    5.0.43rc1
    6.0.33rc1
    6.4.18rc1
    7.0.3rc1
  19. CVE/Advisory number:CVE-2024-22117
    Synopsis:Value of sysmap_element_url can be de-synchronized causing the map element to crash when new URLs is added
    Description:When a URL is added to the map element, it is recorded in the database with sequential IDs. Upon adding a new URL, the system retrieves the last sysmapelementurlid value and increments it by one. However, an issue arises when a user manually changes the sysmapelementurlid value by adding sysmapelementurlid + 1. This action prevents others from adding URLs to the map element.
    Known Attack Vectors:Consequently, after conducted manipulations of sysmap_element_url, no one else will be able to add URLs to the map element.
    Resolution:To remediate this vulnerability, apply the updates listed in the 'Fixed Version' section to appropriate products.
    Workarounds:-
    Acknowledgements:Zabbix wants to thank prasetia for submitting this report on the HackerOne bug bounty platform.
    ComponentSeverityAffected versionFix versionTickets
    Frontend, API2.2 low
    5.0.0-5.0.43
    6.0.0-6.0.33
    6.4.0-6.4.18
    7.0.0-7.0.3
    5.0.44rc1
    6.0.34rc1
    6.4.19rc1
    7.0.4rc1
  20. CVE/Advisory number:CVE-2024-22114
    Synopsis:System Information Widget in Global View Dashboard exposes information about Hosts to Users without Permission
    Description:User with no permission to any of the Hosts can access and view host count & other statistics through System Information Widget in Global View Dashboard.
    Known Attack Vectors:User with no permission to hosts able to obtain statistics like total hosts count and other data through System Information Widget.
    Resolution:To remediate this vulnerability, apply the updates listed in the 'Fixed Version' section to appropriate products.
    Workarounds:-
    Acknowledgements:Zabbix wants to thank Jayateertha G (jayateerthag) who submitted this report in HackerOne bug bounty platform.
    ComponentSeverityAffected versionFix versionTickets
    Server, Frontend4.3 medium
    5.0.0-5.0.42
    6.0.0-6.0.30
    6.4.0-6.4.15
    7.0.0alpha1-7.0.0rc2
    5.0.43rc1
    6.0.31rc1
    6.4.16rc1
    7.0.0rc3