Summary
ZABBIX is prone to a Remote Code Execution.
Input passed to the 'extlang' parameter in 'locales.php' is not properly sanitised before being used to process data. This can be exploited to execute arbitrary commands via specially crafted requests.
ZABBIX 1.6.2 and possibly earlier versions are vulnerable.
Solution
Updates are available. Please see the references for more information.
References
Updated on 2015-03-25
Severity
Classification
-
CVSS Base Score: 9.7
AV:N/AC:L/Au:N/C:P/I:C/A:C
Related Vulnerabilities
- Atlassian JIRA Privilege Escalation and Multiple Cross Site Scripting Vulnerabilities
- 68designs 68kb Multiple Remote File Include Vulnerabilities
- Atutor AChecker Multiple SQL Injection and XSS Vulnerabilities
- AlienVault OSSIM SQL Injection and Remote Code Execution Vulnerabilities
- artmedic_links5 File Inclusion Vulnerability