CVE-2024-45699

High CVSS: 7.5

The endpoint /zabbix.php?action=export.valuemaps suffers from a Cross-Site Scripting vulnerability via the backurl parameter. This is caused by the reflection of user-supplied data without appropriate HTML escaping or output encoding. As a result, a JavaScript payload may be injected into the above endpoint causing it to be executed within the context of the victim's browser.

Vendor

Zabbix

Product

Zabbix

CWE

CWE-79

Yayın Tarihi

2025-04-02 07:15:41

Güncelleme

2025-11-03 20:16:30

Source Identifier

security@zabbix.com

KEV Date Added

Kategoriler

CWE-79 Zabbix HIGH Zabbix 2025

Referanslar

https://support.zabbix.com/browse/ZBX-26254 https://lists.debian.org/debian-lts-announce/2025/04/msg00027.html

Benzer Kayıtlar

Medium

CVE-2025-49643

An authenticated Zabbix user (including Guest) is able to cause disproportionate CPU load on the webserver by sending sp…

Medium

CVE-2025-27232

An authenticated Zabbix Super Admin can exploit the oauth.authorize action to read arbitrary files from the webserver le…

Medium

CVE-2025-49641

A regular Zabbix user with no permission to the Monitoring -> Problems view is still able to call the problem.view.refre…

Medium

CVE-2025-27231

The LDAP 'Bind password' value cannot be read after saving, but a Super Admin account can leak it by changing LDAP 'Host…

Low

CVE-2025-27236

A regular Zabbix user can search other users in their user group via Zabbix API by select fields the user does not have…

Low

CVE-2025-27238

Due to a bug in Zabbix API, the hostprototype.get method lists all host prototypes to users that do not have any user gr…