Description
Zabbix frontend supported an XML data import feature, where on the server it used DOMDocument to parse the XML. By default, DOMDocument also parses the external DTD, which could allow a remote attacker to use a crafted XML file causing Zabbix to read an arbitrary local file, and send the contents of the specified file to a remote server.
Affected versions: 1.8.19, 1.8.20, 2.0.9, 2.0.10, 2.0.11rc2, 2.0.11, 2.2.2, 2.2.3rc1, 2.2.3rc2, 2.2.3
Remediation
Upgrade to the latest version of Zabbix (this issue was fixed in version 2.3.2).
References
Related Vulnerabilities
WordPress Plugin SlideDeck 2 Lite Responsive Content Slider Local/Remote File Inclusion (2.3.3)
WordPress Plugin Localize My Post Local File Inclusion (1.0)
WordPress Plugin Tera Charts Multiple Local File Inclusion Vulnerabilities (0.1)
WordPress Plugin Sina Extension for Elementor Local File Inclusion (2.2.0)