Main Vulnerability Database Vulnerabilities #VU101284

#VU101284 Missing authorization in Zabbix - CVE-2024-36467

Published: December 5, 2024

Vulnerability identifier: #VU101284

Vulnerability risk: Medium

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2024-36467

CWE-ID: CWE-862

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
Zabbix

Software vendor:
Zabbix

Description

The vulnerability allows a remote user to escalate privileges within the application.

The vulnerability exists due to missing authorization checks within the API. A remote user with access to the user.update API endpoint can assign an administrative group to their account and escalate privileges within the application.

Remediation

Install updates from vendor's website.

External links

https://support.zabbix.com/browse/ZBX-25614

#VU101284 Missing authorization in Zabbix - CVE-2024-36467

Description

Remediation

External links

Please verify you're human