Ddos 
Zabbix, a cornerstone in IT infrastructure monitoring fixed five newly disclosed security vulnerabilities ranging from low-severity information leaks to high-impact SQL injection and denial-of-service (DoS) risks.
Among the most critical is CVE-2024-36465 (CVSS 8.6), a SQL injection vulnerability located in the groupBy parameter of Zabbix’s API. A low-privilege Zabbix user with API access can exploit this vulnerability in include/classes/api/CApiService.php to execute arbitrary SQL commands via the groupBy parameter. An authenticated Zabbix API user could inject malicious SQL. The affected components is Zabbix API, versions 7.0.0-7.0.7 and 7.2.0-7.2.1; fixed versions are 7.0.8rc2 and 7.2.2rc1.
Next is CVE-2024-45699 (CVSS 7.5), a high-severity reflected Cross-Site Scripting (XSS) vulnerability. This flaw is present in the /zabbix.php?action=export.valuemaps endpoint. The vulnerability occurs due to the reflection of user-supplied data via the backurl parameter without proper HTML escaping or output encoding. This allows an attacker to inject a JavaScript payload that can be executed within the victim’s browser. The affected component is the Zabbix web interface, versions 6.0.0-6.0.36, 6.4.0-6.4.20, and 7.0.0-7.0.6; fixed versions are 6.0.37rc1, 6.4.21rc1, and 7.0.7rc1.
A medium-severity Denial-of-Service (DoS) vulnerability, CVE-2024-45700, exists in the Zabbix server and proxy. The Zabbix server is vulnerable to a DoS attack due to uncontrolled resource exhaustion. An attacker can send specially crafted requests to the server, causing it to allocate excessive memory and perform CPU-intensive decompression operations, potentially leading to a service crash. Affected components are the Zabbix Server and Zabbix Proxy, versions 6.0.0-6.0.38, 7.0.0-7.0.9, and 7.2.0-7.2.3; fixed versions are 6.0.39rc1, 7.0.10rc1, and 7.2.4rc1.
A low-severity vulnerability, CVE-2024-42325, exists in the Zabbix API. The user.get method returns excessive information, including media and login attempt details, for all users sharing a common group with the calling user. Affected components include the Zabbix API, specifically versions 5.0.0-5.0.45, 6.0.0-6.0.37, 7.0.0-7.0.8, and 7.2.0-7.2.2; fixed versions are 5.0.46rc1, 6.0.38rc1, 7.0.9rc1, 7.2.3rc1.
Finally, a low-severity user enumeration vulnerability, CVE-2024-36469, exists due to a timing discrepancy in unsuccessful login attempts. The execution time for an unsuccessful login differs when using a non-existing username compared to an existing one. An attacker with access to the Zabbix frontend or Zabbix API could exploit this by timing unsuccessful logins. The affected component is the Zabbix web interface, versions 5.0.0-5.0.45, 6.0.0-6.0.37, 7.0.0-7.0.8, and 7.2.0-7.2.2; fixed versions are 5.0.46rc1, 6.0.38rc1, 7.0.9rc1, and 7.2.3rc1.
Users of Zabbix are advised to review the provided information and upgrade to the fixed versions as soon as possible to mitigate these security risks.
Related Posts:
- CVE-2024-42327 (CVSS 9.9): Critical SQL Injection Vulnerability Found in Zabbix
- PoC Exploit Releases for Critical Zabbix Vulnerability – CVE-2024-42327 (CVSS 9.9)
- CVE-2024-42330 (CVSS 9.1): Zabbix Patches Critical Remote Code Execution Vulnerability
- Zabbix Addresses Multi Vulnerabilities, Including RCE CVE-2024-36461 (CVSS 9.1) Flaw
- CVE-2024-22116 (CVSS 9.9): Critical RCE Vulnerability Found in Zabbix Monitoring Solution
About The Author
