Описание
Zabbix allows to configure SMS notifications. AT command injection occurs on "Zabbix Server" because there is no validation of "Number" field on Web nor on Zabbix server side. Attacker can run test of SMS providing specially crafted phone number and execute additional AT commands on modem.
Пакеты
| Пакет | Статус | Версия исправления | Релиз | Тип |
|---|---|---|---|---|
| zabbix | fixed | 1:7.0.0+dfsg-1 | package |
Примечания
https://support.zabbix.com/browse/ZBX-25012
https://github.com/zabbix/zabbix/commit/9923c7dea89e19318621788df07dc7572a2528be (7.0.0rc3)
https://github.com/zabbix/zabbix/commit/2cd64d3522fe974f21487ce1606d65e10eea7bae (6.0.31rc1)
https://github.com/zabbix/zabbix/commit/5a41f3036dd47d7c196dbfc97c9923eca6f51094 (5.0.43rc1)
EPSS
Связанные уязвимости
Zabbix allows to configure SMS notifications. AT command injection occurs on "Zabbix Server" because there is no validation of "Number" field on Web nor on Zabbix server side. Attacker can run test of SMS providing specially crafted phone number and execute additional AT commands on modem.
Zabbix allows to configure SMS notifications. AT command injection occurs on "Zabbix Server" because there is no validation of "Number" field on Web nor on Zabbix server side. Attacker can run test of SMS providing specially crafted phone number and execute additional AT commands on modem.
Zabbix allows to configure SMS notifications. AT command injection occurs on "Zabbix Server" because there is no validation of "Number" field on Web nor on Zabbix server side. Attacker can run test of SMS providing specially crafted phone number and execute additional AT commands on modem.
Уязвимость универсальной системы мониторинга Zabbix, связанная с неправильной нейтрализацией специальных элементов, используемых в команде, позволяющая нарушителю выполнить дополнительные AT-команды на модеме
EPSS