Critical SQL Injection Vulnerability Found in Zabbix

Critical SQL Injection Vulnerability Discovered in Zabbix. Security researcher Alejandro Ramos has unveiled a proof-of-concept exploit for CVE-2024-42327, a severe SQL injection vulnerability in Zabbix, an open-source monitoring platform, with a CVSS score of 9.9. This flaw, located in the CUser class’s addRelatedObjects function, allows non-admin users with API access to exploit the vulnerability, potentially leading to privilege escalation and unauthorized access to sensitive data. Zabbix has urged users to update to patched versions 6.0.32rc1, 6.4.17rc1, or 7.0.1rc1 immediately, as the vulnerability could severely disrupt operations for organizations relying on Zabbix for critical monitoring. The issue was initially reported by Márk Rákóczi through the HackerOne bug bounty platform.