Main Vulnerability Database Vulnerabilities #VU101062

#VU101062 Format string error in Zabbix - CVE-2024-42330

Published: December 1, 2024

Vulnerability identifier: #VU101062

Vulnerability risk: Medium

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2024-42330

CWE-ID: CWE-134

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
Zabbix

Software vendor:
Zabbix

Description

The vulnerability allows a remote user to execute arbitrary code on the target system.

The vulnerability exists due to a format string error within the HttpRequest object that allows to get the HTTP headers from the server's response after sending the request. The returned strings are created directly from the data returned by the server and are not correctly encoded for JavaScript. A remote user can create internal strings that can be used to access hidden properties of objects, which can lead to remote code execution.

Remediation

Install updates from vendor's website.

External links

https://support.zabbix.com/browse/ZBX-25626

#VU101062 Format string error in Zabbix - CVE-2024-42330

Description

Remediation

External links

Please verify you're human