icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons_061

Zabbix 1.8.x < 1.8.2 'DBCondition' Parameter SQL Injection

High

Synopsis

The remote host is running a web application that is vulnerable to a SQL-injection attack.

Description

The remote host is running Zabbix, an IT monitoring service. The installed version of Zabbix is earlier than 1.8.2. Such versions are potentially affected by a SQL-injection vulnerability in the 'user' parameter of the 'api.jsonrpc.php' script. A remote, unauthenticated attacker could exploit this flaw to gain control of the affected application.

Solution

Upgrade to Zabbix 1.8.2 or later.