Monitoring

In Zabbix versions from 6.0.0 to 6.0.31, from 6.4.0 to 6.4.16 and 7.0.0 a high severity vulnerability CVE-2024-36466 was detected. This vulnerability allows attackers to forge and sign a zbx_session cookie, granting them admin permissions. To fix this issue, users should upgrade Zabbix to versions 6.0.32rc1, 6.4.17rc1 and 7.0.1rc1. For more details, visit https://nvd.nist.gov/vuln/detail/cve-2024-36466.

In Zabbix Server versions prior to 1:7.0.5+dfsg-1 a low severity vulnerability CVE-2024-42333 was detected. This vulnerability lets attackers access a small portion of server memory by reading memory outside its intended boundaries in the code src/libs/zbxmedia/email.c. This could potentially leak sensitive data. To address this issue, users must upgrade to version 1:7.0.5+dfsg-1 or higher. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-42333.

In Zabbix versions from 6.0.0 to 6.0.29 and from 6.4.0 to 6.4.14 a medium severity vulnerability CVE-2024-36464 was detected. This vulnerability allows attackers to retrieve passwords stored in plain text within YAML files if they have access to them, potentially compromising sensitive systems. To fix this issue, users should upgrade Zabbix to versions 6.0.30rc1 or 6.4.15rc1. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-36464.

In Zabbix versions 6.0.0 up to 6.0.31, 6.4.0 up to 6.4.16 and 7.0.0 to 7.0.1 a critical severity vulnerability CVE-2024-42327 was detected. This vulnerability allows attackers with API access, even with non-admin accounts, to exploit an SQL injection in the `CUser` class via the `addRelatedObjects` function. To address this issue, users should upgrade Zabbix to versions 6.0.32rc1, 6.4.17rc1 or 7.0.2rc1. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-42327.

In Zabbix versions 6.0.0 to 6.0.34, 6.4.0 to 6.4.19, and 7.0.0 to 7.0.4 a low severity vulnerability CVE-2024-42332 was detected. This vulnerability lets attackers send an SNMP (Simple Network Management Protocol) trap with extra data, showing fake information in the Zabbix UI. The attack works if SNMP authentication is off or if the attacker knows the community/authentication details. An SNMP item must also be set as text on the target host. Currently, there is no fix version for this issue. For more details, visit https://avd.aquasec.com/nvd/2024/cve-2024-42332.

In Sentry version 24.11.0 a medium severity vulnerability CVE-2024-53253 was detected. A specific error message could expose a plaintext Client ID and Client Secret in the HTTP response. This issue affects self-hosted users with custom integrations. To address this issue, upgrade to the latest version or downgrade to 24.10.0. For Sentry SaaS users, no action is needed as the issue was resolved. For more details, visit https://avd.aquasec.com/nvd/2024/cve-2024-53253.

In LibreNMS versions before 24.10.0 a medium severity vulnerability CVE-2024-50352 was detected. This vulnerability allows attackers to inject malicious JavaScript through the “name” field in the “Services” section. To address this issue, update to LibreNMS version 24.10.0 or later. For more details, visit https://avd.aquasec.com/nvd/2024/cve-2024-50352.

In LibreNMS versions before 24.10.0 a medium severity vulnerability CVE-2024-50355 was detected. This vulnerability allows attackers with Admin role to inject JavaScript code into the device Display Name, which is not properly sanitized. The injected code can be triggered from different sources. To address this issue, update to LibreNMS version 24.10.0 or later. For more details, visit https://avd.aquasec.com/nvd/2024/cve-2024-50355.

In LibreNMS versions before 24.10.0 a medium severity vulnerability CVE-2024-51494 was detected. This vulnerability allows authenticated users to inject arbitrary JavaScript through the “descr” parameter when editing a device’s port settings on the “Port Settings” page. The injected code can be executed when the page is visited, potentially compromising the user’s session and enabling unauthorized actions. To address this issue, update to LibreNMS version 24.10.0 or later. For more details, visit https://avd.aquasec.com/nvd/2024/cve-2024-51494.