Filtered by vendor Zabbix
Subscriptions
Filtered by product Zabbix
Subscriptions
Total
107 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2009-4500 | 1 Zabbix | 1 Zabbix | 2025-04-09 | N/A |
| The process_trap function in trapper/trapper.c in Zabbix Server before 1.6.6 allows remote attackers to cause a denial of service (crash) via a crafted request with data that lacks an expected : (colon) separator, which triggers a NULL pointer dereference. | ||||
| CVE-2009-4501 | 1 Zabbix | 1 Zabbix | 2025-04-09 | N/A |
| The zbx_get_next_field function in libs/zbxcommon/str.c in Zabbix Server before 1.6.8 allows remote attackers to cause a denial of service (crash) via a request that lacks expected separators, which triggers a NULL pointer dereference, as demonstrated using the Command keyword. | ||||
| CVE-2009-4498 | 1 Zabbix | 1 Zabbix | 2025-04-09 | N/A |
| The node_process_command function in Zabbix Server before 1.8 allows remote attackers to execute arbitrary commands via a crafted request. | ||||
| CVE-2006-6693 | 1 Zabbix | 1 Zabbix | 2025-04-09 | N/A |
| Multiple buffer overflows in zabbix before 20061006 allow attackers to cause a denial of service (application crash) and possibly execute arbitrary code via long strings to the (1) zabbix_log and (2) zabbix_syslog functions. | ||||
| CVE-2009-4502 | 3 Freebsd, Sun, Zabbix | 3 Freebsd, Solaris, Zabbix | 2025-04-09 | N/A |
| The NET_TCP_LISTEN function in net.c in Zabbix Agent before 1.6.7, when running on FreeBSD or Solaris, allows remote attackers to bypass the EnableRemoteCommands setting and execute arbitrary commands via shell metacharacters in the argument to net.tcp.listen. NOTE: this attack is limited to attacks from trusted IP addresses. | ||||
| CVE-2009-4499 | 1 Zabbix | 1 Zabbix | 2025-04-09 | N/A |
| SQL injection vulnerability in the get_history_lastid function in the nodewatcher component in Zabbix Server before 1.6.8 allows remote attackers to execute arbitrary SQL commands via a crafted request, possibly related to the send_history_last_id function in zabbix_server/trapper/nodehistory.c. | ||||
| CVE-2006-6692 | 1 Zabbix | 1 Zabbix | 2025-04-09 | N/A |
| Multiple format string vulnerabilities in zabbix before 20061006 allow attackers to cause a denial of service (application crash) and possibly execute arbitrary code via format string specifiers in information that would be recorded in the system log using (1) zabbix_log or (2) zabbix_syslog. | ||||
| CVE-2023-32723 | 1 Zabbix | 1 Zabbix | 2025-02-13 | 8.5 High |
| Request to LDAP is sent before user permissions are checked. | ||||
| CVE-2023-29451 | 1 Zabbix | 1 Zabbix | 2025-02-13 | 4.7 Medium |
| Specially crafted string can cause a buffer overrun in the JSON parser library leading to a crash of the Zabbix Server or a Zabbix Proxy. | ||||
| CVE-2024-22121 | 1 Zabbix | 1 Zabbix | 2024-12-10 | 6.1 Medium |
| A non-admin user can change or remove important features within the Zabbix Agent application, thus impacting the integrity and availability of the application. | ||||
| CVE-2024-36462 | 1 Zabbix | 1 Zabbix | 2024-12-10 | 7.5 High |
| Uncontrolled resource consumption refers to a software vulnerability where a attacker or system uses excessive resources, such as CPU, memory, or network bandwidth, without proper limitations or controls. This can cause a denial-of-service (DoS) attack or degrade the performance of the affected system. | ||||
| CVE-2023-29452 | 1 Zabbix | 1 Zabbix | 2024-11-21 | 5.5 Medium |
| Currently, geomap configuration (Administration -> General -> Geographical maps) allows using HTML in the field “Attribution text” when selected “Other” Tile provider. | ||||
| CVE-2022-40626 | 2 Fedoraproject, Zabbix | 2 Fedora, Zabbix | 2024-11-21 | 4.8 Medium |
| An unauthenticated user can create a link with reflected Javascript code inside the backurl parameter and send it to other authenticated users in order to create a fake account with predefined login, password and role in Zabbix Frontend. | ||||
| CVE-2021-46088 | 1 Zabbix | 1 Zabbix | 2024-11-21 | 7.2 High |
| Zabbix 4.0 LTS, 4.2, 4.4, and 5.0 LTS is vulnerable to Remote Code Execution (RCE). Any user with the "Zabbix Admin" role is able to run custom shell script on the application server in the context of the application user. | ||||
| CVE-2021-27927 | 1 Zabbix | 1 Zabbix | 2024-11-21 | 8.8 High |
| In Zabbix from 4.0.x before 4.0.28rc1, 5.0.0alpha1 before 5.0.10rc1, 5.2.x before 5.2.6rc1, and 5.4.0alpha1 before 5.4.0beta2, the CControllerAuthenticationUpdate controller lacks a CSRF protection mechanism. The code inside this controller calls diableSIDValidation inside the init() method. An attacker doesn't have to know Zabbix user login credentials, but has to know the correct Zabbix URL and contact information of an existing user with sufficient privileges. | ||||
| CVE-2020-15803 | 4 Debian, Fedoraproject, Opensuse and 1 more | 5 Debian Linux, Fedora, Backports and 2 more | 2024-11-21 | 6.1 Medium |
| Zabbix before 3.0.32rc1, 4.x before 4.0.22rc1, 4.1.x through 4.4.x before 4.4.10rc1, and 5.x before 5.0.2rc1 allows stored XSS in the URL Widget. | ||||
| CVE-2020-11800 | 3 Debian, Opensuse, Zabbix | 4 Debian Linux, Backports Sle, Leap and 1 more | 2024-11-21 | 9.8 Critical |
| Zabbix Server 2.2.x and 3.0.x before 3.0.31, and 3.2 allows remote attackers to execute arbitrary code. | ||||
| CVE-2019-17382 | 1 Zabbix | 1 Zabbix | 2024-11-21 | 9.1 Critical |
| An issue was discovered in zabbix.php?action=dashboard.view&dashboardid=1 in Zabbix through 4.4. An attacker can bypass the login page and access the dashboard page, and then create a Dashboard, Report, Screen, or Map without any Username/Password (i.e., anonymously). All created elements (Dashboard/Report/Screen/Map) are accessible by other users and by an admin. | ||||
| CVE-2019-15132 | 2 Debian, Zabbix | 2 Debian Linux, Zabbix | 2024-11-21 | 5.3 Medium |
| Zabbix through 4.4.0alpha1 allows User Enumeration. With login requests, it is possible to enumerate application usernames based on the variability of server responses (e.g., the "Login name or password is incorrect" and "No permissions for system access" messages, or just blocking for a number of seconds). This affects both api_jsonrpc.php and index.php. | ||||
| CVE-2017-2826 | 2 Debian, Zabbix | 2 Debian Linux, Zabbix | 2024-11-21 | N/A |
| An information disclosure vulnerability exists in the iConfig proxy request of Zabbix server 2.4.X. A specially crafted iConfig proxy request can cause the Zabbix server to send the configuration information of any Zabbix proxy, resulting in information disclosure. An attacker can make requests from an active Zabbix proxy to trigger this vulnerability. | ||||