Monitoring

In Sentry version 6.0.9 a medium severity vulnerability CVE-2024-48743 was found. This vulnerability lets attackers exploit the “z” parameter to run unauthorized code remotely. At the time of publication of the CVE, no patch is available. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-48743.

In Nagios XI versions before 2024R1 a critical severity vulnerability CVE-2023-48082 was detected. This vulnerability allows attackers to generate identical API keys for all users, enabling unauthorized authentication. To address this issue, update to Nagios XI 2024R1 or later. For more details, visit https://avd.aquasec.com/nvd/2023/cve-2023-48082.

In LibreNMS versions prior to 24.9.0 a medium severity vulnerability CVE-2024-47528 related to Stored Cross-Site Scripting (XSS) was detected. This vulnerability allows attackers to upload an SVG file containing an XSS payload when setting a background for a custom map. The payload triggers upon loading the map. To address this issue, users should upgrade to version 24.9.0 or later. For more details, visit https://avd.aquasec.com/nvd/2024/cve-2024-47528.

In LibreNMS versions prior to 24.9.0 a high severity vulnerability CVE-2024-47527 was detected. This vulnerability allows attackers to inject arbitrary JavaScript through the “hostname” parameter in the “Device Dependencies” feature. This could lead to the execution of malicious code within other users’ sessions, potentially compromising their accounts and enabling unauthorized actions. To address this issue, updating to version 24.9.0 is recommended. For more details, visit https://avd.aquasec.com/nvd/2024/cve-2024-47527.

In LibreNMS versions prior to 24.9.0 a high severity vulnerability CVE-2024-47525 was detected. This Stored Cross-Site Scripting (XSS) vulnerability in the “Alert Rules” feature allows authenticated users to inject arbitrary JavaScript through the “Title” field. This can lead to the execution of malicious code in the context of other users’ sessions, potentially compromising their accounts and enabling unauthorized actions. To address this issue, users are advised to upgrade to version 24.9.0 or later. For more details, visit https://avd.aquasec.com/nvd/2024/cve-2024-47525.

In LibreNMS a low severity vulnerability CVE-2024-47526 was detected. This vulnerability allows users to inject arbitrary JavaScript into the alert template’s name, which executes immediately upon submission but does not persist after a page refresh. Currently there is no fix version for this vulnerability. For more details, visit https://avd.aquasec.com/nvd/2024/cve-2024-47526.

In Zabbix versions 5.0.0 – 5.0.42, 6.0.0 – 6.0.30, 6.4.0 – 6.4.15, 7.0.0alpha1 – 7.0.0rc2 a medium severity vulnerability CVE-2024-22122 was detected. This vulnerability allows attackers to execute arbitrary AT commands on a modem through specially crafted input in the “Number” field during SMS notification configuration in Zabbix, due to the lack of validation on both the web interface and server side. To fix this problem, users should upgrade Zabbix to versions 5.0.43rc1, 6.0.31rc1, 6.4.16rc1, and 7.0.0rc3. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-22122.

In Zabbix versions 5.0.8 and 6.0.14 a medium severity vulnerability CVE-2024-36462 was detected. This vulnerability allows attackers to use too many system resources, such as CPU or memory, causing the system to slow down or crash. To fix this problem, users should upgrade Zabbix to version 7.0.2. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-36462.

In Zabbix versions from 5.0.0 before 5.0.42, 6.0.0 before 6.0.30, 6.4.0 before 6.4.15 and 7.0.0alpha1 before 7.0.0 a medium severity vulnerability CVE-2024-22121 was detected. This vulnerability allows attackers to change or remove key parts of the Zabbix Agent, which can break or disrupt the application. To fix this problem, users should upgrade Zabbix to versions 5.0.43rc1, 6.0.31rc1, 6.4.16rc1 and 7.0.0rc1. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-22121.