Execution time for an unsuccessful login differs when using a non-existing username compared to using an existing one.

Multiple Vulnerabilities in Zabbix (API)

Multiple Vulnerabilities in Zabbix (Proxy, Server)

The remote Debian 11 host has packages installed that are affected by multiple vulnerabilities as referenced in the dla-4131 advisory.

    -------------------------------------------------------------------------     Debian LTS Advisory DLA-4131-1                debian-lts@lists.debian.org     https://www.debian.org/lts/security/                         Tobias Frost     April 19, 2025                                https://wiki.debian.org/LTS
    -------------------------------------------------------------------------

    Package        : zabbix     Version        : 1:5.0.46+dfsg-1+deb11u1     CVE ID         : CVE-2024-36469 CVE-2024-42325 CVE-2024-45699 CVE-2024-45700     Debian Bug     :

    Several security vulnerabilities have been discovered in zabbix, a     network monitoring solution, potentially among other effects allowing     denial of service, information disclosure or remote code inclusion.

    CVE-2024-36469

        Execution time for an unsuccessful login differs when using a         non-existing username compared to using an existing one.

    CVE-2024-42325

        Zabbix API user.get returns all users that share common group with the         calling user. This includes media and other information, such as login         attempts, etc.

    CVE-2024-45699

        The endpoint /zabbix.php?action=export.valuemaps suffers from a         Cross-Site Scripting vulnerability via the backurl parameter. This is         caused by the reflection of user-supplied data without appropriate HTML         escaping or output encoding. As a result, a JavaScript payload may be         injected into the above endpoint causing it to be executed within the         context of the victim's browser.

    CVE-2024-45700

        Zabbix server is vulnerable to a DoS vulnerability due to uncontrolled         resource exhaustion. An attacker can send specially crafted requests to         the server, which will cause the server to allocate an excessive amount         of memory and perform CPU-intensive decompression operations, ultimately         leading to a service crash.

    For Debian 11 bullseye, these problems have been fixed in version     1:5.0.46+dfsg-1+deb11u1.

    We recommend that you upgrade your zabbix packages.

    For the detailed security status of zabbix please refer to     its security tracker page at:
    https://security-tracker.debian.org/tracker/zabbix

    Further information about Debian LTS security advisories, how to apply     these updates to your system and frequently asked questions can be     found at: https://wiki.debian.org/LTS     Attachment:
    signature.asc     Description: PGP signature

Tenable has extracted the preceding description block directly from the Debian security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Fedora 40 host has a package installed that is affected by multiple vulnerabilities as referenced in the FEDORA-2025-d4263ef3ef advisory.

    Update to 6.0.39 (CVE-2024-45700, CVE-2024-36469, CVE-2024-42325, CVE-2024-45699)

Tenable has extracted the preceding description block directly from the Fedora security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Fedora 41 host has a package installed that is affected by multiple vulnerabilities as referenced in the FEDORA-2025-a7a06a72c8 advisory.

    Update to 7.0.11

    CVE-2024-36465, CVE-2024-36469, CVE-2024-42325, CVE-2024-45699, CVE-2024-45700

Tenable has extracted the preceding description block directly from the Fedora security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The version of Zabbix installed on the remote host affected by a user enumeration vulnerability. Execution time for an unsuccessful login differs when using a non-existing username compared to using an existing one.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Severity
234691	Debian dla-4131 : zabbix-agent - security update	Nessus	Debian Local Security Checks	high
234247	Fedora 40 : zabbix (2025-d4263ef3ef)	Nessus	Fedora Local Security Checks	high
234185	Fedora 41 : zabbix (2025-a7a06a72c8)	Nessus	Fedora Local Security Checks	high
233861	Zabbix 5.x < 5.0.46rc1 / 6.x < 6.0.38rc1 / 7.0.x < 7.0.9rc1 / 7.2.x < 7.2.3rc1 User Enumeration (ZBX-26255)	Nessus	CGI abuses	low

Detections

Analytics

CVE-2024-36469

low

Tenable Plugins

Coming Soon

high

high

high

low