Date: Mon, 2 Dec 2024 20:05:41 GMT From: Fernando =?utf-8?Q?Apestegu=C3=ADa?= <fernape@FreeBSD.org> To: ports-committers@FreeBSD.org, dev-commits-ports-all@FreeBSD.org, dev-commits-ports-main@FreeBSD.org Subject: git: a938308f3e09 - main - security/vuxml: Add zabbix-frontend vulnerability Message-ID: <202412022005.4B2K5fV5080913@gitrepo.freebsd.org>
index | next in thread | raw e-mail
The branch main has been updated by fernape: URL: https://cgit.FreeBSD.org/ports/commit/?id=a938308f3e09d4c03b68d06b23dbc522d19e3d61 commit a938308f3e09d4c03b68d06b23dbc522d19e3d61 Author: Fernando ApesteguĂa <fernape@FreeBSD.org> AuthorDate: 2024-12-02 20:04:55 +0000 Commit: Fernando ApesteguĂa <fernape@FreeBSD.org> CommitDate: 2024-12-02 20:04:55 +0000 security/vuxml: Add zabbix-frontend vulnerability * Base Score: 9.9 CRITICAL * Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H --- security/vuxml/vuln/2024.xml | 39 +++++++++++++++++++++++++++++++++++++++ 1 file changed, 39 insertions(+) diff --git a/security/vuxml/vuln/2024.xml b/security/vuxml/vuln/2024.xml index 51f69e510fb9..64143e0bf797 100644 --- a/security/vuxml/vuln/2024.xml +++ b/security/vuxml/vuln/2024.xml @@ -1,3 +1,42 @@ + <vuln vid="f0d33375-b0e0-11ef-a724-b42e991fc52e"> + <topic>zabbix -- SQL injection in user.get API</topic> + <affects> + <package> + <name>zabbix6-frontend</name> + <range><lt>6.0.31</lt></range> + </package> + <package> + <name>zabbix64-frontend</name> + <range><lt>6.4.16</lt></range> + </package> + <package> + <name>zabbix7-frontend</name> + <range><lt>7.0.0</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml">; + <p>security@zabbix.com reports:</p> + <blockquote cite="https://support.zabbix.com/browse/ZBX-25623">; + <p>A non-admin user account on the Zabbix frontend with the default + User role, or with any other role that gives API access can exploit + this vulnerability. An SQLi exists in the CUser class in the + addRelatedObjects function, this function is being called from the + CUser.get function which is available for every user who has API + access.</p> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2024-42327</cvename> + <url>https://nvd.nist.gov/vuln/detail/CVE-2024-42327</url>; + </references> + <dates> + <discovery>2024-11-27</discovery> + <entry>2024-12-02</entry> + </dates> + </vuln> + <vuln vid="8b6e97a9-804e-4366-9f75-d102b22a716d"> <topic>electron33 -- Inappropriate implementation in Extensions</topic> <affects>home | help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202412022005.4B2K5fV5080913>