Zabbix Multiple SQL Injection Vulnerabilities - Jan15 Network Vulnerability

Summary

The host is installed with Zabbix and is prone to multiple SQL injection vulnerabilities.

Impact

Successful exploitation will allow attackers to manipulate SQL queries by injecting arbitrary SQL code. Impact Level: Application

Solution

Upgrade to Zabbix version 1.8.22 or 2.0.14 or 2.2.8 or later. For updates refer to https://www.zabbix.com

Insight

Multiple flaws exist as input passed via the 'periods' and 'itemid' GET parameter to chart_bar.php is not properly sanitised before being used in an SQL query

Affected

Zabbix versions before 1.8.22, 2.0.x before 2.0.14, and 2.2.x before 2.2.8.

Detection

Get the installed version of Zabbix with the help of detect NVT and check the version is vulnerable or not.

References

http://secunia.com/advisories/61554
http://www.zabbix.com/rn1.8.22.php
http://www.zabbix.com/rn2.0.14.php
http://www.zabbix.com/rn2.2.8.php
https://support.zabbix.com/browse/ZBX-8582

Updated on 2015-03-25

Severity

Classification

CVE CVE-2014-9450

CVSS	Base Score: 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P

Related Vulnerabilities

Artifectx xClassified 'catid' SQL Injection Vulnerability
Agora CGI Cross Site Scripting
AstroSPACES profile.php SQL Injection Vulnerability
Apple Safari PDF Javascript Security Bypass Bypass Vulnerability
Atlassian JIRA FishEye and Crucible Plugins XML Parsing Unspecified Security Vulnerability

Zabbix Multiple SQL injection Vulnerabilities - Jan15

Take action and discover your vulnerabilities