Zabbix Multiple SQL Injection Vulnerabilities - Jan15 Network Vulnerability

Summary

The host is installed with Zabbix and is prone to multiple SQL injection vulnerabilities.

Impact

Successful exploitation will allow attackers to manipulate SQL queries by injecting arbitrary SQL code. Impact Level: Application

Solution

Upgrade to Zabbix version 1.8.22 or 2.0.14 or 2.2.8 or later. For updates refer to https://www.zabbix.com

Insight

Multiple flaws exist as input passed via the 'periods' and 'itemid' GET parameter to chart_bar.php is not properly sanitised before being used in an SQL query

Affected

Zabbix versions before 1.8.22, 2.0.x before 2.0.14, and 2.2.x before 2.2.8.

Detection

Get the installed version of Zabbix with the help of detect NVT and check the version is vulnerable or not.

References

http://secunia.com/advisories/61554
http://www.zabbix.com/rn1.8.22.php
http://www.zabbix.com/rn2.0.14.php
http://www.zabbix.com/rn2.2.8.php
https://support.zabbix.com/browse/ZBX-8582

Updated on 2015-03-25

Severity

Classification

CVE CVE-2014-9450
CVSS Base Score: 7.5
AV:N/AC:L/Au:N/C:P/I:P/A:P

Related Vulnerabilities

Ad Manager Pro Multiple SQL Injection And XSS Vulnerabilities
Apple Safari PDF Javascript Security Bypass Bypass Vulnerability
Arkeia Appliance Multiple Vulnerabilities
Athena Web Registration remote command execution flaw
AlienVault OSSIM 'date_from' Parameter Multiple SQL Injection Vulnerabilities

Zabbix Multiple SQL injection Vulnerabilities - Jan15

Take action and discover your vulnerabilities