Monitoring

In Zabbix versions 6.0.0 up to 6.0.31, 6.4.0 up to 6.4.16 and 7.0.0 to 7.0.1 a critical severity vulnerability CVE-2024-42327 was detected. This vulnerability allows attackers with API access, even with non-admin accounts, to exploit an SQL injection in the `CUser` class via the `addRelatedObjects` function. To address this issue, users should upgrade Zabbix to versions 6.0.32rc1, 6.4.17rc1 or 7.0.2rc1. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-42327.

In Zabbix versions 6.0.0 to 6.0.34, 6.4.0 to 6.4.19, and 7.0.0 to 7.0.4 a low severity vulnerability CVE-2024-42332 was detected. This vulnerability lets attackers send an SNMP (Simple Network Management Protocol) trap with extra data, showing fake information in the Zabbix UI. The attack works if SNMP authentication is off or if the attacker knows the community/authentication details. An SNMP item must also be set as text on the target host. Currently, there is no fix version for this issue. For more details, visit https://avd.aquasec.com/nvd/2024/cve-2024-42332.

In Sentry version 24.11.0 a medium severity vulnerability CVE-2024-53253 was detected. A specific error message could expose a plaintext Client ID and Client Secret in the HTTP response. This issue affects self-hosted users with custom integrations. To address this issue, upgrade to the latest version or downgrade to 24.10.0. For Sentry SaaS users, no action is needed as the issue was resolved. For more details, visit https://avd.aquasec.com/nvd/2024/cve-2024-53253.

In LibreNMS versions before 24.10.0 a medium severity vulnerability CVE-2024-50352 was detected. This vulnerability allows attackers to inject malicious JavaScript through the “name” field in the “Services” section. To address this issue, update to LibreNMS version 24.10.0 or later. For more details, visit https://avd.aquasec.com/nvd/2024/cve-2024-50352.

In LibreNMS versions before 24.10.0 a medium severity vulnerability CVE-2024-50355 was detected. This vulnerability allows attackers with Admin role to inject JavaScript code into the device Display Name, which is not properly sanitized. The injected code can be triggered from different sources. To address this issue, update to LibreNMS version 24.10.0 or later. For more details, visit https://avd.aquasec.com/nvd/2024/cve-2024-50355.

In LibreNMS versions before 24.10.0 a medium severity vulnerability CVE-2024-51494 was detected. This vulnerability allows authenticated users to inject arbitrary JavaScript through the “descr” parameter when editing a device’s port settings on the “Port Settings” page. The injected code can be executed when the page is visited, potentially compromising the user’s session and enabling unauthorized actions. To address this issue, update to LibreNMS version 24.10.0 or later. For more details, visit https://avd.aquasec.com/nvd/2024/cve-2024-51494.

In LibreNMS versions before 24.10.0 a medium severity vulnerability CVE-2024-52526 was detected. This vulnerability allows authenticated users to inject arbitrary JavaScript through the “descr” parameter in the “Services” tab of the Device page. This could result in the execution of malicious code within the context of other users’ sessions, potentially compromising their accounts and enabling unauthorized actions. To address this issue, update to LibreNMS version 24.10.0 or later. For more details, visit https://avd.aquasec.com/nvd/2024/cve-2024-52526.

In LibreNMS versions before 24.10.0 a medium severity vulnerability CVE-2024-51497 was found. It allows logged-in users to add harmful code through the “Custom OID” tab. OID (Object Identifier) is a unique number used to identify specific items or settings in network devices. When creating a new OID, this issue could let attackers run malicious actions on other users’ accounts. To fix this, update to LibreNMS version 24.10.0 or later. For more details, visit https://avd.aquasec.com/nvd/2024/cve-2024-51497.

In LibreNMS versions before 24.10.0 a medium severity vulnerability CVE-2024-51496 was found in the “metric” parameter of the “/wireless” and “/health” pages. This issue allows attackers to inject harmful code that runs when a user visits these pages. This could compromise the user’s session and allow unauthorized actions. To fix this, update to LibreNMS version 24.10.0 or later. For more details, visit https://avd.aquasec.com/nvd/2024/cve-2024-51496.