vulnerability
FreeBSD: VID-F0D33375-B0E0-11EF-A724-B42E991FC52E (CVE-2024-42327): zabbix -- SQL injection in user.get API
| Severity | CVSS | Published | Added | Modified |
|---|---|---|---|---|
| 9 | (AV:N/AC:L/Au:S/C:C/I:C/A:C) | Nov 27, 2024 | Dec 3, 2024 | Feb 18, 2025 |
Severity
9
CVSS
(AV:N/AC:L/Au:S/C:C/I:C/A:C)
Published
Nov 27, 2024
Added
Dec 3, 2024
Modified
Feb 18, 2025
Description
A non-admin user account on the Zabbix frontend with the default User role, or with any other role that gives API access can exploit this vulnerability. An SQLi exists in the CUser class in the addRelatedObjects function, this function is being called from the CUser.get function which is available for every user who has API access.
Solution(s)
freebsd-upgrade-package-zabbix6-frontendfreebsd-upgrade-package-zabbix64-frontendfreebsd-upgrade-package-zabbix7-frontend
References
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.