Description
Zabbix frontend supported an XML data import feature, where on the server it used DOMDocument to parse the XML. By default, DOMDocument also parses the external DTD, which could allow a remote attacker to use a crafted XML file causing Zabbix to read an arbitrary local file, and send the contents of the specified file to a remote server.
Affected versions: 1.8.19, 1.8.20, 2.0.9, 2.0.10, 2.0.11rc2, 2.0.11, 2.2.2, 2.2.3rc1, 2.2.3rc2, 2.2.3
Remediation
Upgrade to the latest version of Zabbix (this issue was fixed in version 2.3.2).
References
Related Vulnerabilities
WordPress Plugin Simple Fields Local File Inclusion (0.3.5)
WordPress Plugin Simple Ads Manager Local File Inclusion (2.10.0.130)
WordPress plugin Slider Revolution arbitrary file disclosure
WordPress Plugin Sina Extension for Elementor Local File Inclusion (2.2.0)
WordPress Plugin Really Simple Guest Post Local File Inclusion (1.0.6)