2075 matches found
Zabbix - SQL Injection
Zabbix before 2.2.14 and 3.0 before 3.0.4 allows remote attackers to execute arbitrary SQL commands via the toggleids array parameter in latest.php and perform SQL injection attacks. id: CVE-2016-10134 info: name: Zabbix - SQL Injection author: princechaddha severity: critical description: Zabbix...
Zabbix <=4.4 - Authentication Bypass
Zabbix through 4.4 is susceptible to an authentication bypass vulnerability via zabbix.php?action=dashboard.view&dashboardid=1. An attacker can bypass the login page and access the dashboard page, and then create a Dashboard, Report, Screen, or Map without any Username/Password i.e., anonymously...
Grafana & Zabbix Integration - Credentials Disclosure
Grafana through 7.3.4, when integrated with Zabbix, contains a credential disclosure vulnerability. The Zabbix password can be found in the apijsonrpc.php HTML source code. When the user logs in and allows the user to register, one can right click to view the source code and use Ctrl-F to search...
Zabbix Setup Configuration Authentication Bypass
After the initial setup process, some steps of setup.php file are reachable not only by super-administrators but also by unauthenticated users. A malicious actor can pass step checks and potentially change the configuration of Zabbix Frontend. id: CVE-2022-23134 info: name: Zabbix Setup...
Zabbix - SAML SSO Authentication Bypass
When SAML SSO authentication is enabled non-default, session data can be modified by a malicious actor because a user login stored in the session was not verified. id: CVE-2022-23131 info: name: Zabbix - SAML SSO Authentication Bypass author: For3stCo1d,spac3wh1te severity: critical description:...
GHSA-C2P3-7M5P-CV8X vulnerabilities
Vulnerabilities for packages: zabbix-fips...
GHSA-9FRC-8383-795M vulnerabilities
Vulnerabilities for packages: zabbix-fips...
GHSA-4QPC-3HR4-R2P4 vulnerabilities
Vulnerabilities for packages: zabbix-fips...
CVE-2026-45305 vulnerabilities
Vulnerabilities for packages: zabbix-fips...
CVE-2026-45304 vulnerabilities
Vulnerabilities for packages: zabbix-fips...
CVE-2026-45133 vulnerabilities
Vulnerabilities for packages: zabbix-fips...
Vuln2Action-Demo
Vuln2Action-Demo This repository contains the demo video for t...
bug-bounty-hunts
Bug Bounty Hunts Curated writeups and proof-of-concept materi...
Astra Linux – Vulnerability in Zabbix
A authenticated user can create a hosts group using the configuration with XSS payload, which will be available to other users. When XSS is stored by an authenticated malicious actor, and other users attempt to search for groups during the creation of new hosts, the XSS payload will activate,...
Astra Linux – Vulnerability in Zabbix
A authenticated user can create a link containing reflected JavaScript code for a service page and send it to other users. The payload can only be executed with a known CSRF token value of the victim, which is changed periodically and is difficult to predict. Malicious code has access to all the...
Astra Linux – Vulnerability in Zabbix
A authenticated user can create a link containing reflected JavaScript code on its own pages and send it to other users. The payload can only be executed with a known CSRF token value of the victim, which is changed periodically and is difficult to predict. Malicious code has access to all the sa...
Astra Linux – Vulnerability in Zabbix
Zabbix Frontend offers a feature that enables administrators to manage the installation and ensure that only certain IP addresses can access it. This way, no user will be able to access the Zabbix Frontend during maintenance, and sensitive data will be protected from being disclosed. An attacker...
Astra Linux – Vulnerability in Zabbix
In Zabbix versions 4.0.x before 4.0.28rc1, 5.0.0alpha1 before 5.0.10rc1, 5.2.x before 5.2.6rc1, and 5.4.0alpha1 before 5.4.0beta2, the CControllerAuthenticationUpdate controller lacks a CSRF protection mechanism. The code within this controller calls diableSIDValidation within the init method. An...
Astra Linux – Vulnerability in Zabbix
The Zabbix server can execute commands for configured scripts. After the command is executed, an audit entry is added to the “Audit Log”. Since the “clientip” field is not sanitized, it is possible to inject SQL code into the “clientip” field, resulting in time-based blind SQL injection attacks...
Astra Linux – Vulnerability in Zabbix
The Zabbix Agent 2 item key “smart.disk.get” does not sanitize its parameters before passing them to a shell command, which may lead to a vulnerability for remote code execution...