The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

Computer vulnerabilities of Zabbix

vulnerability CVE-2016-10742

Zabbix: open redirect via Request Parameter

Synthesis of the vulnerability

An attacker can deceive the user via Request Parameter of Zabbix, in order to redirect him to a malicious site.
Impacted products: Debian, Zabbix.
Severity: 1/4.
Consequences: user access/rights, data reading.
Provenance: internet client.
Creation date: 12/03/2019.
Identifiers: CVE-2016-10742, DLA-1708-1, VIGILANCE-VUL-28710, ZBX-10272.

Description of the vulnerability

The Zabbix product offers a web service.

However, the web service accepts to redirect the victim with no warning, to an external site indicated by the attacker.

An attacker can therefore deceive the user via Request Parameter of Zabbix, in order to redirect him to a malicious site.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability 27375

Zabbix: multiple vulnerabilities

Synthesis of the vulnerability

An attacker can use several vulnerabilities of Zabbix.
Impacted products: Zabbix.
Severity: 2/4.
Consequences: denial of service on service.
Provenance: document.
Creation date: 02/10/2018.
Identifiers: VIGILANCE-VUL-27375.

Description of the vulnerability

An attacker can use several vulnerabilities of Zabbix.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability 26285

Zabbix: Cross Site Scripting

Synthesis of the vulnerability

An attacker can trigger a Cross Site Scripting of Zabbix, in order to run JavaScript code in the context of the web site.
Impacted products: Zabbix.
Severity: 2/4.
Consequences: client access/rights.
Provenance: document.
Creation date: 31/05/2018.
Identifiers: FG-VD-15-019, VIGILANCE-VUL-26285.

Description of the vulnerability

The Zabbix product offers a web service.

However, it does not filter received data before inserting them in generated HTML documents.

An attacker can therefore trigger a Cross Site Scripting of Zabbix, in order to run JavaScript code in the context of the web site.
Full Vigil@nce bulletin... (Free trial)

vulnerability bulletin CVE-2017-2826

Zabbix: information disclosure via Config Proxy Request

Synthesis of the vulnerability

An attacker can bypass access restrictions to data via Config Proxy Request of Zabbix, in order to obtain sensitive information.
Impacted products: Debian, Zabbix.
Severity: 2/4.
Consequences: data reading.
Provenance: intranet client.
Creation date: 10/04/2018.
Identifiers: CVE-2017-2826, DLA-1708-1, TALOS-2017-0327, VIGILANCE-VUL-25823.

Description of the vulnerability

An attacker can bypass access restrictions to data via Config Proxy Request of Zabbix, in order to obtain sensitive information.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability note 24409

Zabbix: vulnerability

Synthesis of the vulnerability

A vulnerability of Zabbix was announced.
Impacted products: Zabbix.
Severity: 2/4.
Consequences: unknown consequence, administrator access/rights, privileged access/rights, user access/rights, client access/rights, data reading, data creation/edition, data deletion, data flow, denial of service on server, denial of service on service, denial of service on client, disguisement.
Provenance: document.
Creation date: 10/11/2017.
Identifiers: DEV-593, VIGILANCE-VUL-24409.

Description of the vulnerability

A vulnerability of Zabbix was announced.
Full Vigil@nce bulletin... (Free trial)

vulnerability 24160

Zabbix: information disclosure via Full User Names

Synthesis of the vulnerability

An attacker can bypass access restrictions to data via Full User Names of Zabbix, in order to obtain sensitive information.
Impacted products: Zabbix.
Severity: 1/4.
Consequences: data reading.
Provenance: user account.
Creation date: 17/10/2017.
Identifiers: VIGILANCE-VUL-24160.

Description of the vulnerability

An attacker can bypass access restrictions to data via Full User Names of Zabbix, in order to obtain sensitive information.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability alert CVE-2017-2824 CVE-2017-2825

Zabbix: two vulnerabilities

Synthesis of the vulnerability

An attacker can use several vulnerabilities of Zabbix.
Impacted products: Debian, Fedora, Zabbix.
Severity: 3/4.
Consequences: privileged access/rights, data creation/edition.
Provenance: intranet client.
Number of vulnerabilities in this bulletin: 2.
Creation date: 28/04/2017.
Identifiers: CVE-2017-2824, CVE-2017-2825, DSA-3937-1, FEDORA-2017-63aca509fb, FEDORA-2017-d191fb7fce, TALOS-2017-0325, TALOS-2017-0326, VIGILANCE-VUL-22586.

Description of the vulnerability

Several vulnerabilities were announced in Zabbix.

An attacker can use a vulnerability, in order to run code. [severity:3/4; CVE-2017-2824, TALOS-2017-0325]

An attacker can inject database update commands. [severity:2/4; CVE-2017-2825, TALOS-2017-0326]
Full Vigil@nce bulletin... (Free trial)

vulnerability bulletin CVE-2016-10134

Zabbix: SQL injection via Latest Data

Synthesis of the vulnerability

An attacker can use a SQL injection via Latest Data of Zabbix, in order to read or alter data.
Impacted products: Debian, Zabbix.
Severity: 2/4.
Consequences: data reading, data creation/edition, data deletion.
Provenance: internet client.
Creation date: 12/01/2017.
Identifiers: CVE-2016-10134, DSA-3802-1, VIGILANCE-VUL-21563.

Description of the vulnerability

The Zabbix product uses a database.

However, user's data are directly inserted in a SQL query.

An attacker can therefore use a SQL injection via Latest Data of Zabbix, in order to read or alter data.
Full Vigil@nce bulletin... (Free trial)

vulnerability CVE-2007-6210

ZABBIX: command execution with root group

Synthesis of the vulnerability

An attacker can use ZABBIX to execute commands with gid 0.
Impacted products: Debian, Fedora, Unix (platform) ~ not comprehensive, Zabbix.
Severity: 2/4.
Consequences: privileged access/rights.
Provenance: user shell.
Creation date: 06/12/2007.
Identifiers: 452682, BID-26680, CVE-2007-6210, DSA-1420-1, FEDORA-2007-4160, FEDORA-2007-4176, VIGILANCE-VUL-7390.

Description of the vulnerability

The ZABBIX program permits to monitor the network.

The "UserParameter" variable of /etc/zabbix/zabbix-agentd.conf indicates commands which can be executed. They are run with the uid and the gid of zabbix user. In order to do so, privileges are lost with (simplified code):
  setgid(gid_of_zabbix);
  setuid(uid_of_zabbix);
However, additional groups are not reset with initgroups(). The root (0) group thus persists.

A local attacker can therefore execute commands with privileges of root group.
Full Vigil@nce bulletin... (Free trial)
Our database contains other pages. You can request a free trial to read them.

Display information about Zabbix: