Zabbix Security Advisories and CVE database

How to report a security issue?
Zabbix ID CVE number CVSS score Zabbix ? severity Synopsis Component/s Affected version/s Published
ZBV-2024-08-09-8 CVE-2024-36462 7.5 High Allocation of resources without limits or throttling (uncontrolled resource consumption) Server 7.0.0alpha1-7.0.0
2024 Aug 09
ZBV-2024-08-09-7 CVE-2024-36461 9.1 Critical Direct access to memory pointers within the JS engine for modification Server 6.0.0-6.0.30
6.4.0-6.4.15
7.0.0alpha1-7.0.0
2024 Aug 09
ZBV-2024-08-09-6 CVE-2024-36460 8.1 High Front-end audit log shows passwords in plaintext Frontend 5.0.0-5.0.42
6.0.0-6.0.30
6.4.0-6.4.15
7.0.0alpha1-7.0.0
2024 Aug 09
ZBV-2024-08-09-5 CVE-2024-22123 2.7 Low Zabbix Arbitrary File Read Server 5.0.0-5.0.42
6.0.0-6.0.30
6.4.0-6.4.15
7.0.0alpha1-7.0.0rc2
2024 Aug 09
ZBV-2024-08-09-4 CVE-2024-22122 3.0 Low AT(GSM) Command Injection Server,
Frontend
5.0.0-5.0.42
6.0.0-6.0.30
6.4.0-6.4.15
7.0.0alpha1-7.0.0rc2
2024 Aug 09
ZBV-2024-08-09-3 CVE-2024-22121 6.1 Medium Zabbix Agent MSI Installer Allows Non-Admin User to Access Change Option via msiexec.exe Installation 5.0.0-5.0.42
6.0.0-6.0.30
6.4.0-6.4.15
7.0.0alpha1-7.0.0rc2
2024 Aug 09
ZBV-2024-08-09-2 CVE-2024-22116 9.9 Critical Remote code execution within ping script Server 6.4.0-6.4.15
7.0.0alpha1-7.0.0rc2
2024 Aug 09
ZBV-2024-08-09-1 CVE-2024-22114 4.3 Medium System Information Widget in Global View Dashboard exposes information about Hosts to Users without Permission Server,
Frontend
5.0.0-5.0.42
6.0.0-6.0.30
6.4.0-6.4.15
7.0.0alpha1-7.0.0rc2
2024 Aug 09
ZBV-2024-05-17 CVE-2024-22120 9.1 Critical Time Based SQL Injection in Zabbix Server Audit Log Server 6.0.0-6.0.27
6.4.0-6.4.12
7.0.0alpha1-7.0.0beta1
2024 May 17
ZBV-2024-02-09 CVE-2024-22119 5.5 Medium Stored XSS in graph items select form Frontend 5.0.0-5.0.39
6.0.0-6.0.23
6.4.0-6.4.8
7.0.0alpha1-7.0.0alpha7
2024 Feb 09
ZBV-2023-12-18-4 CVE-2023-32728 4.6 Medium Code injection in Zabbix Agent 2 smart.disk.get caused by smartctl plugin Agent 2 5.0.0-5.0.38
6.0.0-6.0.23
6.4.0-6.4.8
7.0.0alpha1-7.0.0alpha7
2023 Dec 18
ZBV-2023-12-18-3 CVE-2023-32727 6.8 Medium icmpping() code execution vulnerability Server 4.0.0-4.0.49
5.0.0-5.0.38
6.0.0-6.0.22
6.4.0-6.4.7
7.0.0alpha0-7.0.0alpha6
2023 Dec 18
ZBV-2023-12-18-2 CVE-2023-32726 3.9 Low Possible buffer overread from reading DNS responses Agent 5.0.0-5.0.39
6.0.0-6.0.23
6.4.0-6.4.8
7.0.0alpha1-7.0.0alpha6
2023 Dec 18
ZBV-2023-12-18-1 CVE-2023-32725 9.6 Critical Leak of zbx_session cookie when using a scheduled report that includes a dashboard with a URL widget. Server,
Web service
6.0.0-6.0.21
6.4.0-6.4.6
7.0.0alpha1-7.0.0alpha3
2023 Dec 18
ZBV-2023-09-20-1 CVE-2023-29453 9.8 Critical Agent 2 package are built with Go version affected by CVE-2023-24538 Agent2 5.0.0-5.0.34
6.0.0-6.0.17
6.4.0-6.4.2
2023 Oct 12
ZBV-2023-09-20-2 CVE-2023-32721 7.6 High Stored XSS in Maps element API,
Frontend
4.0.0-4.0.47
5.0.0-5.0.36
6.0.0-6.0.20
6.4.0-6.4.5
7.0.0alpha1-7.0.0alpha3
2023 Oct 12
ZBV-2023-09-20-3 CVE-2023-32722 9.6 Critical Stack-buffer Overflow in library module zbxjson Agent,
Proxy,
Server
6.0.0-6.0.20
6.4.0-6.4.5
7.0.0alpha1-7.0.0alpha3
2023 Oct 12
ZBV-2023-09-20-4 CVE-2023-32723 8.5 High Inefficient permission check in class CControllerAuthenticationUpdate Frontend 4.0.0-4.0.19rc1
4.4.0-4.4.7rc1
5.0.0alpha1-5.0.0alpha3
2023 Oct 12
ZBV-2023-09-20-5 CVE-2023-32724 9.1 Critical JS engine memory pointers are directly available for Zabbix users for modification Proxy,
Server
5.0.0-5.0.36
6.0.0-6.0.20
6.4.0-6.4.5
7.0.0alpha1-7.0.0alpha3
2023 Oct 12
ZBV-2023-07-27-9 CVE-2023-29458 5.9 Medium Duktape 2.6 bug crashes JavaScript putting too many values in valstack. Server,
Proxy
5.0.0-5.0.34
6.0.0-6.0.17
6.4.0-6.4.2
7.0.0alpha1
2023 Jun 16
ZBV-2023-07-27-8 CVE-2023-29457 6.3 Medium Insufficient validation of Action form input fields Frontend 4.0.0-4.0.45
5.0.0-5.0.34
6.0.0-6.0.17
2023 Jun 16
ZBV-2023-07-27-7 CVE-2023-29456 5.7 Medium Inefficient URL schema validation Frontend 4.0.0-4.0.46
5.0.0-5.0.35
6.0.0-6.0.18
6.4.0-6.4.3
7.0.0alpha1
2023 Jun 16
ZBV-2023-07-27-6 CVE-2023-29455 5.4 Medium Reflected XSS in several fields of graph form Frontend 4.0.0–4.0.45
5.0.0–5.0.33
2023 Jun 16
ZBV-2023-07-27-5 CVE-2023-29454 5.4 Medium Persistent XSS in the user form Frontend 4.0.0-4.0.45
5.0.0-5.0.33
6.0.0-6.0.16
2023 Jun 16
ZBV-2023-07-27-4 CVE-2023-29452 5.5 Medium Remove possibility to add html into Geomap attribution field Frontend 6.0.0-6.0.17
6.4.0-6.4.2
7.0.0-7.0.0alpha1
2023 Jun 16
ZBV-2023-07-27-3 CVE-2023-29451 4.7 Medium Denial of service caused by a bug in the JSON parser Server,
Proxy
6.0-6.0.14
6.2-6.2.8
6.4-6.4.0
7.0.0alpha1
2023 Mar 10
ZBV-2023-07-27-2 CVE-2023-29450 8.5 High Unauthorized limited filesystem access from preprocessing Server,
Proxy
5.0-5.0.31
6.0-6.0.13
6.2-6.2.7
6.4-6.4.0rc1
2023 Feb 23
ZBV-2023-07-27-1 CVE-2023-29449 5.9 Medium Limited control of resource utilization in JS preprocessing Server,
Proxy
4.4.4-4.4.*
5.0.0alpha1-5.0.31
5.2.0alpha1-5.2.*
5.4.0alpha1-5.4.*
6.0.0alpha1-6.0.13
6.2.0alpha1-6.2.7
6.4.0alpha1-6.4.0beta6
2023 Jan 06
ZBV-2022-12-1 CVE-2022-43516 6.5 Medium Zabbix Agent installer adds “allow all TCP any any” firewall rule Agent,
Agent2
MSI pkg. (29.oct.22 - 2.dec.22)
2022 Nov 30
ZBA-2022-10-1 - - High Some Zabbix products are affected by CVE-2022-3786 and CVE-2022-3602 vulnerabilities in OpenSSL Agent,
Containers,
Packages
<=v6.0.8 (Solaris)
all versions <=31/Oct/2022
2022 Oct 31
ZBV-2022-10-1 CVE-2022-43515 5.3 Medium X-Forwarded-For header is active by default causes access to Zabbix sites in maintenance mode Frontend 4.0.0-4.0.44
5.0.0-5.0.29
6.0.0-6.0.9
6.2.0-6.2.4
2022 Oct 18
ZBV-2022-09-1 CVE-2022-46768 5.9 Medium File name information disclosure vulnerability in Zabbix Web Service Report Generation Report generation 6.0.0-6.0.11
6.2.0-6.2.5
2022 Sep 21
ZBA-2022-07-1 - - - Zabbix products are not affected by CVE-2022-2068 vulnerability in OpenSSL - -
2022 Jul 26
ZBV-2022-07-1 CVE-2022-40626 4.8 Medium Reflected XSS in action configuration window of Zabbix Frontend Frontend 6.0.0-6.0.6
6.2.0
2022 Jul 08
ZBV-2022-04-1 CVE-2022-35229 3.7 Low Reflected XSS in discovery page of Zabbix Frontend Frontend =>4.0.0
5.0.0-5.0.24
6.0.0-6.0.4
6.2alpha1-6.2beta3
2022 Apr 27
ZBV-2022-04-2 CVE-2022-35230 3.7 Low Reflected XSS in graphs page of Zabbix Frontend Frontend =>4.0.23rc1
5.0.0-5.0.24
2022 Apr 27
ZBA-2022-04-1 - - - Zabbix products are not affected by vulnerabilities in Spring Framework (CVE-2022-22965 - Spring4Shell) and Spring Cloud Function (CVE-2022-22963) - -
2022 Apr 04
ZBA-2022-03-1 - - - Zabbix products are not affected by CVE-2018-25032 vulnerability in zlib 1.2.11 - -
2022 Mar 28
ZBV-2022-01-2 CVE-2022-24917 3.7 Low Reflected XSS in service configuration window of Zabbix Frontend Frontend 4.0.0-4.0.38
5.0.0-5.0.20
5.4.0-5.4.10
2022 Feb 02
ZBV-2022-01-3 CVE-2022-24918 3.7 Low Reflected XSS in item configuration window of Zabbix Frontend Frontend 5.0.0-5.0.20
5.4.0-5.4.10
6.0
2022 Feb 02
ZBV-2022-01-1 CVE-2022-24349 4.6 Medium Reflected XSS in action configuration window of Zabbix Frontend Frontend 4.0.0-4.0.38
5.0.0-5.0.20
5.4.0-5.4
6.0
2022 Feb 01
ZBV-2022-01-4 CVE-2022-24919 3.7 Low Reflected XSS in graph configuration window of Zabbix Frontend Frontend 4.0.0-4.0.38
5.0.0-5.0.20
5.4.0-5.4.10
6.0
2022 Feb 01
ZBV-2021-12-2 CVE-2022-23134 3.7 Low Possible view of the setup pages by unauthenticated users if config file already exists Frontend 5.4.0 - 5.4.8
6.0.0 - 6.0.0beta1
2021 Dec 20
ZBA-2021-12-4 - - Medium Possible remote code execution in Zabbix Java Gateway with logback 1.2.7 and prior versions Java gateway 2.0-2.X
3.0-3.X
4.0.0 - 4.0.36
5.0.18
5.4.0 -5.4.8
6.0.0alpha1-6.0.0beta1
2021 Dec 16
ZBV-2021-12-3 CVE-2022-23133 6.3 Medium Stored XSS in host groups configuration window in Zabbix Frontend Frontend 5.0.0 – 5.0.18
5.4.0 – 5.4.8
6.0.0alpha1
2021 Dec 08
ZBV-2021-12-5 CVE-2022-23132 3.3 Low Incorrect permissions of [/var/run/zabbix] forces dac_override Proxy,
Server
4.0.0 - 4.0.36
5.0.18
5.4.0 – 5.4.8
6.0.0alpha1-6.0.0alpha7
2021 Dec 01
ZBV-2021-11-1 CVE-2022-23131 9.1 Critical Unsafe client-side session storage leading to authentication bypass/instance takeover via Zabbix Frontend with configured SAML Frontend 5.4.0 - 5.4.8
6.0.0alpha1
2021 Nov 22

Whole history of vulnerabilities