A non-admin user account on the Zabbix frontend with the default User role, or with any other role that gives API access can exploit this vulnerability. An SQLi exists in the CUser class in the addRelatedObjects function, this function is being called from the CUser.get function which is available for every user who has API access.
The vulnerability is located in the CUser class, in the addRelatedObjects method, which is called by the CUser.get function. The CUser.get function is available to every user with access to the API, including accounts with the default User role. Input data passed to this function is not properly validated or parameterized, which enables injection of arbitrary SQL code on the database server side.
An attacker with access to the Zabbix API can execute arbitrary SQL queries in the database, which may lead to disclosure of confidential data, data modification, and potential takeover of complete system control (privilege escalation, RCE in favorable configurations).
Patches available from the vendor should be applied in accordance with references (https://support.zabbix.com/browse/ZBX-25623). As a temporary measure, it is recommended to restrict access to the Zabbix API exclusively to trusted administrative accounts and block access to the Zabbix frontend from untrusted networks at the firewall level.
Zabbix – versions indicated in vendor references; installations are vulnerable where users with the default User role or another role with API access have the ability to use the Zabbix frontend.
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:HZabbix
APPZabbix6.0.0 – 6.0.32 (bez)6.4.0 – 6.4.17 (bez)7.0.0 – 7.0.1 (bez)
Related vulnerabilities
In the case of instances where the SAML SSO authentication is enabled (non-default), session data can be modif...
Zabbix: niekodowane nagłówki HTTP umożliwiają dostęp do ukrytych właściwości obiektów
Zabbix: modyfikacja wskaźników pamięci w silniku JavaScript (RCE/DoS)
Zabbix: RCE przez brak escapowania parametrów skryptu Ping
Zabbix Server — time-based blind SQL injection przez pole clientip