Monitoring

In Nagios XI version 2024R1.1.4 a medium severity vulnerability CVE-2024-42898 was detected. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Name parameter in the Account Settings page. Currently, there is no fix version for this issue. For more details, visit https://avd.aquasec.com/nvd/2024/cve-2024-42898.

In LibreNMS versions 24.9.0 up to 24.10.0 a medium severity vulnerability CVE-2024-53457 was detected. This vulnerability lets attackers run harmful web scripts or HTML code by adding a specially crafted input into the Display Name field. To address this issue, users should upgrade LibreNMS to version 24.10.1 or higher. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-53457.

In Zabbix versions 5.0.0 <= 5.0.42, 6.0.0 <= 6.0.32, 6.4.0 <= 6.4.17, and 7.0.0 <= 7.0.1rc1 a high severity vulnerability CVE-2024-36467 was detected. This vulnerability allows authenticated users with API access (users with the default User role) to add themselves to any group, such as Zabbix Administrators, except for groups that are disabled or have restricted GUI access. Currently there is no fix version for this issue. For more details, visit https://avd.aquasec.com/nvd/2024/cve-2024-36467.

In Zabbix versions 7.0.0 through 7.0.2rc1 a low-severity vulnerability CVE-2024-36468 was detected. This vulnerability allows attackers to exploit a stack buffer overflow in the `zbx_snmp_cache_handle_engineid` function, caused by improper bounds checking when copying data from `session->securityEngineID` to `local_record.engineid`. Currently, there is no fix version for this issue. For more details, visit https://avd.aquasec.com/nvd/2024/cve-2024-36468.

In Browser WebDriver for Zabbix versions from 7.0.0 to 7.0.3 a medium severity vulnerability CVE-2024-42328 was detected. This vulnerability allows attackers to crash the application by exploiting a NULL pointer dereference when the server returns an empty response. To fix this issue, users should upgrade Zabbix to version 7.0.4rc1. For more details, visit https://nvd.nist.gov/vuln/detail/cve-2024-42328.

In Zabbix versions from 6.0.0 to 6.0.33, from 6.4.0 to 6.4.18, from 7.0.0 to 7.0.3 a critical severity vulnerability CVE-2024-42330 was detected. This vulnerability allows attackers to manipulate HTTP headers to access hidden properties of objects by exploiting improper encoding of server data for JavaScript. To fix this issue, users should upgrade Zabbix to versions 6.0.34rc1, 6.4.19rc1, and 7.0.4rc1. For more details, visit https://nvd.nist.gov/vuln/detail/cve-2024-42330.

In Zabbix versions from 6.0.0 to 6.0.31, from 6.4.0 to 6.4.16 and 7.0.0 a high severity vulnerability CVE-2024-36466 was detected. This vulnerability allows attackers to forge and sign a zbx_session cookie, granting them admin permissions. To fix this issue, users should upgrade Zabbix to versions 6.0.32rc1, 6.4.17rc1 and 7.0.1rc1. For more details, visit https://nvd.nist.gov/vuln/detail/cve-2024-36466.

In Zabbix Server versions prior to 1:7.0.5+dfsg-1 a low severity vulnerability CVE-2024-42333 was detected. This vulnerability lets attackers access a small portion of server memory by reading memory outside its intended boundaries in the code src/libs/zbxmedia/email.c. This could potentially leak sensitive data. To address this issue, users must upgrade to version 1:7.0.5+dfsg-1 or higher. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-42333.

In Zabbix versions from 6.0.0 to 6.0.29 and from 6.4.0 to 6.4.14 a medium severity vulnerability CVE-2024-36464 was detected. This vulnerability allows attackers to retrieve passwords stored in plain text within YAML files if they have access to them, potentially compromising sensitive systems. To fix this issue, users should upgrade Zabbix to versions 6.0.30rc1 or 6.4.15rc1. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-36464.