Vulnerability CVE-2016-10134: Information
Description
SQL injection vulnerability in Zabbix before 2.2.14 and 3.0 before 3.0.4 allows remote attackers to execute arbitrary SQL commands via the toggle_ids array parameter in latest.php.
Severity: CRITICAL (9.8) Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Fixed packages
Package name | Branch | Fixed in version | Version from repository | Errata ID | Task # | State |
|---|---|---|---|---|---|---|
| zabbix | sisyphus | 2.4.0-alt1 | 6.0.29-alt1 | ALT-PU-2014-2165-1 | 130800 | Fixed |
| zabbix | p10 | 2.4.0-alt1 | 6.0.29-alt0.p10.1 | ALT-PU-2014-2165-1 | 130800 | Fixed |
| zabbix | p9 | 2.4.0-alt1 | 5.0.12-alt0.p9.1 | ALT-PU-2014-2165-1 | 130800 | Fixed |
| zabbix | p8 | 3.0.4-alt1 | 3.0.26-alt0.M80P.2 | ALT-PU-2016-1783-1 | 167444 | Fixed |
| zabbix | c10f1 | 2.4.0-alt1 | 6.0.27-alt0.c10f1.1 | ALT-PU-2014-2165-1 | 130800 | Fixed |
| zabbix | c9f2 | 2.4.0-alt1 | 5.0.40-alt1 | ALT-PU-2014-2165-1 | 130800 | Fixed |
| zabbix | c7 | 3.4.4-alt0.M70C.1 | 3.4.4-alt0.M70C.1 | ALT-PU-2017-2823-1 | 196831 | Fixed |
References to Advisories, Solutions, and Tools
Hyperlink | Resource |
|---|---|
| https://support.zabbix.com/browse/ZBX-11023 |
|
| https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=850936 |
|
| 95423 |
|
| [oss-security] 20170112 Re: CVE Request: Zabbix: SQL injection vulnerabilities in "Latest data" |
|
| [oss-security] 20170112 CVE Request: Zabbix: SQL injection vulnerabilities in "Latest data" |
|
| https://code610.blogspot.com/2017/10/zbx-11023-quick-autopsy.html | |
| DSA-3802 |