git: a938308f3e09 - main - security/vuxml: Add zabbix-frontend vulnerability

Go to: [ bottom of page ] [ top of archives ] [ this month ]
From: Fernando Apesteguía <fernape_at_FreeBSD.org>
Date: Mon, 02 Dec 2024 20:05:41 UTC
The branch main has been updated by fernape:

URL: https://cgit.FreeBSD.org/ports/commit/?id=a938308f3e09d4c03b68d06b23dbc522d19e3d61

commit a938308f3e09d4c03b68d06b23dbc522d19e3d61
Author:     Fernando Apesteguía <fernape@FreeBSD.org>
AuthorDate: 2024-12-02 20:04:55 +0000
Commit:     Fernando Apesteguía <fernape@FreeBSD.org>
CommitDate: 2024-12-02 20:04:55 +0000

    security/vuxml: Add zabbix-frontend vulnerability
    
     * Base Score:  9.9 CRITICAL
     * Vector:  CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
---
 security/vuxml/vuln/2024.xml | 39 +++++++++++++++++++++++++++++++++++++++
 1 file changed, 39 insertions(+)

diff --git a/security/vuxml/vuln/2024.xml b/security/vuxml/vuln/2024.xml
index 51f69e510fb9..64143e0bf797 100644
--- a/security/vuxml/vuln/2024.xml
+++ b/security/vuxml/vuln/2024.xml
@@ -1,3 +1,42 @@
+  <vuln vid="f0d33375-b0e0-11ef-a724-b42e991fc52e">
+    <topic>zabbix -- SQL injection in user.get API</topic>
+    <affects>
+      <package>
+	<name>zabbix6-frontend</name>
+	<range><lt>6.0.31</lt></range>
+      </package>
+      <package>
+	<name>zabbix64-frontend</name>
+	<range><lt>6.4.16</lt></range>
+      </package>
+      <package>
+	<name>zabbix7-frontend</name>
+	<range><lt>7.0.0</lt></range>
+      </package>
+    </affects>
+    <description>
+	<body xmlns="http://www.w3.org/1999/xhtml">
+	<p>security@zabbix.com reports:</p>
+	<blockquote cite="https://support.zabbix.com/browse/ZBX-25623">
+	  <p>A non-admin user account on the Zabbix frontend with the default
+	User role, or with any other role that gives API access can exploit
+	this vulnerability.  An SQLi exists in the CUser class in the
+	addRelatedObjects function, this function is being called from the
+	CUser.get function which is available for every user who has API
+	access.</p>
+	</blockquote>
+	</body>
+    </description>
+    <references>
+      <cvename>CVE-2024-42327</cvename>
+      <url>https://nvd.nist.gov/vuln/detail/CVE-2024-42327</url>
+    </references>
+    <dates>
+      <discovery>2024-11-27</discovery>
+      <entry>2024-12-02</entry>
+    </dates>
+  </vuln>
+
   <vuln vid="8b6e97a9-804e-4366-9f75-d102b22a716d">
     <topic>electron33 -- Inappropriate implementation in Extensions</topic>
     <affects>