Описание
A non-admin user account on the Zabbix frontend with the default User role, or with any other role that gives API access can exploit this vulnerability. An SQLi exists in the CUser class in the addRelatedObjects function, this function is being called from the CUser.get function which is available for every user who has API access.
Ссылки
- Vendor Advisory
Уязвимые конфигурации
Одно из
EPSS
9.9 Critical
CVSS3
Дефекты
Связанные уязвимости
A non-admin user account on the Zabbix frontend with the default User role, or with any other role that gives API access can exploit this vulnerability. An SQLi exists in the CUser class in the addRelatedObjects function, this function is being called from the CUser.get function which is available for every user who has API access.
A non-admin user account on the Zabbix frontend with the default User ...
A non-admin user account on the Zabbix frontend with the default User role, or with any other role that gives API access can exploit this vulnerability. An SQLi exists in the CUser class in the addRelatedObjects function, this function is being called from the CUser.get function which is available for every user who has API access.
Уязвимость функции addRelatedObjects универсальной системы мониторинга Zabbix, позволяющая нарушителю повысить свои привилегии
EPSS
9.9 Critical
CVSS3