Debian 10 Buster DLA-3390-1 Moderate: Zabbix User Enumeration Security Fix
debian lts
April 12, 2023
Several security vulnerabilities have been discovered in zabbix, a network monitoring solution, potentially allowing User Enumeration, Cross-Site-Scripting or Cross-Site Request Fo...
Summary
Zabbix through 4.4.0alpha1 allows User Enumeration. With login requests, it is
possible to enumerate application usernames based on the variability of server
responses (e.g., the "Login name or password is incorrect" and "No permissions
for system access" messages, or just blocking for a number of seconds). This
affects both api_jsonrpc.php and index.php.
CVE-2020-15803
Zabbix before 3.0.32rc1, 4.x before 4.0.22rc1, 4.1.x through 4.4.x
before 4.4.10rc1, and 5.x before 5.0.2rc1 allows stored XSS in the URL
Widget.
CVE-2021-27927
In Zabbix from 4.0.x before 4.0.28rc1, 5.0.0alpha1 before 5.0.10rc1,
5.2.x before 5.2.6rc1, and 5.4.0alpha1 before 5.4.0beta2, the
CControllerAuthenticationUpdate controller lacks a CSRF protection
mechanism. The code inside this controller calls diableSIDValidation
inside the init() method. An attacker doesn't have to know Zabbix user
login credentials, but has to know the correct Zabbix URL and contact
information of an existing user with sufficient privileges.
CVE-2022-24349
PREVIOUS
NEXT
Severity
important
Lowest
Low
Medium
High
Critical
-------------------------------------------------------------------------Package: zabbix
Version: 1:4.0.4+dfsg-1+deb10u1
CVE ID: CVE-2019-15132 CVE-2020-15803 CVE-2021-27927 CVE-2022-24349
Debian Bug: 935027 966146 1014992 1014994
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!