Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2022-23134: [ZBX-20384] Possible view of the setup pages by unauthenticated users if config file already exists (CVE-2022-23134)

After the initial setup process, some steps of setup.php file are reachable not only by super-administrators, but by unauthenticated users as well. Malicious actor can pass step checks and potentially change the configuration of Zabbix Frontend.

CVE
Open in Source
#vulnerability#php#auth

  • **Type: ** Defect (Security)

  • Status: Closed

  • **Priority: ** Blocker

  • Resolution: Fixed

  • Affects Version/s: 5.4.8, 6.0.0beta1

  • Sprint:

    Sprint 83 (Dec 2021)

CVE number

CVE-2022-23134

CVSS score

3.7

Severity

Low

Description

After the initial setup process, some steps of setup.php file are reachable not only by super-administrators, but by unauthenticated users as well.

Known attack vectors

Malicious actor can pass step checks and potentially change the configuration of Zabbix Frontend.

Resolution

To remediate this vulnerability, apply the updates listed in the ‘Fixed Version’ section to appropriate products or if immediate update is not possible, follow the presented below workarounds.

Acknowledgements

Zabbix wants to thank Thomas Chauchefoin from SonarSource for reporting this issue to us

Affected versions

5.4.0 - 5.4.8
6.0.0 - 6.0.0beta1

Workarounds

If an immediate update is not possible, please remove the setup.php file

causes

ZBX-20387 Broken language in setup routine for logged-in super-admin

  • Closed

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE
CVE-2023-6905
CVE
CVE-2023-6903
CVE
CVE-2023-6904
CVE
CVE-2023-3907
CVE