Critical SQL Injection Vulnerability Discovered in Zabbix
/ 1 min read
Critical SQL Injection Vulnerability Discovered in Zabbix. Security researcher Alejandro Ramos has unveiled a proof-of-concept exploit for CVE-2024-42327, a severe SQL injection vulnerability in Zabbix, an open-source monitoring platform, with a CVSSv3 score of 9.9. This flaw, located in the CUser class’s addRelatedObjects function, allows non-admin users with API access to exploit the vulnerability, potentially leading to privilege escalation and unauthorized access to sensitive data. Zabbix has acknowledged the issue and urged users to update to patched versions immediately, as affected versions include 6.0.0 through 6.0.31, 6.4.0 through 6.4.16, and 7.0.0. Organizations are advised to restrict unnecessary API permissions to mitigate risks associated with this vulnerability.