CVE-2024-42327 CRITICAL

CVE-2024-42327: SQL injection in user.get API

Vendor Zabbix
Product Zabbix
Weakness CWE-89 · SQLi
Published November 27, 2024
Last update December 4, 2024

CVSS base score

9.9/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

What the vulnerability does

01Description

A non-admin user account on the Zabbix frontend with the default User role, or with any other role that gives API access can exploit this vulnerability. An SQLi exists in the CUser class in the addRelatedObjects function, this function is being called from the CUser.get function which is available for every user who has API access.

Key dates

02Disclosure timeline

November 27, 2024 CVE published
December 4, 2024 Record updated