Monitoring

In LibreNMS a low severity vulnerability CVE-2024-47526 was detected. This vulnerability allows users to inject arbitrary JavaScript into the alert template’s name, which executes immediately upon submission but does not persist after a page refresh. Currently, there is no fix version for this vulnerability. For more details, visit https://avd.aquasec.com/nvd/2024/cve-2024-47526.

In Zabbix versions 5.0.0 – 5.0.42, 6.0.0 – 6.0.30, 6.4.0 – 6.4.15, 7.0.0alpha1 – 7.0.0rc2 a medium severity vulnerability CVE-2024-22122 was detected. This vulnerability allows attackers to execute arbitrary AT commands on a modem through specially crafted input in the “Number” field during SMS notification configuration in Zabbix, due to the lack of validation on both the web interface and server side. To fix this problem, users should upgrade Zabbix to versions 5.0.43rc1, 6.0.31rc1, 6.4.16rc1, and 7.0.0rc3. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-22122.

In Zabbix versions 5.0.8 and 6.0.14 a medium severity vulnerability CVE-2024-36462 was detected. This vulnerability allows attackers to use too many system resources, such as CPU or memory, causing the system to slow down or crash. To fix this problem, users should upgrade Zabbix to version 7.0.2. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-36462.

In Zabbix versions from 5.0.0 before 5.0.42, 6.0.0 before 6.0.30, 6.4.0 before 6.4.15 and 7.0.0alpha1 before 7.0.0 a medium severity vulnerability CVE-2024-22121 was detected. This vulnerability allows attackers to change or remove key parts of the Zabbix Agent, which can break or disrupt the application. To fix this problem, users should upgrade Zabbix to versions 5.0.43rc1, 6.0.31rc1, 6.4.16rc1 and 7.0.0rc1. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-22121.

In Zabbix versions 6.0.30, 6.4.15 and 7.0.0 a critical severity vulnerability CVE-2024-36461 was detected. This allows attackers to overload the system and make it unavailable by consuming excessive resources through the Banzai pipeline. To fix this problem, users should upgrade Zabbix to versions 6.0.31rc1, 6.4.16rc1, and 7.0.1rc1. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-36461.

In Zabbix versions from 5.0.0 prior to 5.0.42, 6.0.0 prior to 6.0.30, 6.4.0 prior to 6.4.15, and 7.0.0alpha1 prior to 7.0.0 a high severity vulnerability CVE-2024-36460 was detected. This vulnerability allows attackers to view and steal unprotected passwords directly from the audit log, potentially leading to unauthorized access and impersonation. To fix this problem, users should upgrade Zabbix to versions 5.0.43rc1, 6.0.31rc1, 6.4.16rc1 and 7.0.1rc1. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-36461.

In Zabbix a critical severity vulnerability CVE-2024-22116 was detected. A restricted-permission admin can exploit the Monitoring Hosts script execution to run arbitrary code via the Ping script, risking infrastructure compromise. To address this issue users should upgrade to versions 6.4.16 RC1 or above, 7.0.0 RC3 or above. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-22116.

In Zabbix version 6.0.0 – 7.0.0alpha1 a critical vulnerability CVE-2024-22120 was detected. This vulnerability allows the attacker to perform command execution for configured scripts. After it is possible to inject SQL into “clientip” and exploit time based blind SQL injection. To address this issue, users are advised to upgrade to the version 7.0.0 beta1. For more details, visit https://avd.aquasec.com/nvd/2024/cve-2024-22120/.

In Zabbix version 6.0.0 – 7.0.0alpha1 a critical vulnerability CVE-2024-22120 was detected. This vulnerability allows command execution and SQL injection via “clientip.” To address this issue, users should upgrade Zabbix to version 7.0.0 beta1. For more information, visit https://avd.aquasec.com/nvd/2024/cve-2024-22120/.