CVE-2024-42327: SQL injection in user.get API

9.9 CVSS

Description

A non-admin user account on the Zabbix frontend with the default User role, or with any other role that gives API access can exploit this vulnerability. An SQLi exists in the CUser class in the addRelatedObjects function, this function is being called from the CUser.get function which is available for every user who has API access.

Classification

CVE ID: CVE-2024-42327

CVSS Base Severity: CRITICAL

CVSS Base Score: 9.9

Affected Products

Vendor: Zabbix

Product: Zabbix

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.04% (probability of being exploited)

EPSS Percentile: 11.44% (scored less or equal to compared to others)

EPSS Date: 2025-02-03 (when was this score calculated)

References

https://support.zabbix.com/browse/ZBX-25623

Timeline

2024-11-28 00:11:50 UTC
CVE

SQL injection in user.get API