Home

Description

A low privilege (regular) Zabbix user with API access can use SQL injection vulnerability in include/classes/api/CApiService.php to execute arbitrary SQL commands via the groupBy parameter.

PUBLISHED Reserved 2024-05-28 | Published 2025-04-02 | Updated 2025-04-02 | Assigner Zabbix




HIGH: 8.6CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Problem types

CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Product status

Default status
unaffected

7.0.0 (git)
affected

7.2.0 (git)
affected

Credits

Zabbix wants to thank cynau1t for submitting this report on the HackerOne bug bounty platform reporter

References

support.zabbix.com/browse/ZBX-26257

cve.org (CVE-2024-36465)

nvd.nist.gov (CVE-2024-36465)

Download JSON

Data based on CVE®. Copyright © 1999-2025, The MITRE Corporation. All rights reserved.