VulnerableCode Package Details - pkg:deb/debian/zabbix@1:7.0.9%2Bdfsg-1?distro=trixie

Search for packages

Vulnerability	Summary	Fixed by
This package is not known to be affected by vulnerabilities.

Vulnerability

Summary

Fixed by

This package is not known to be affected by vulnerabilities.

Vulnerability	Summary	Aliases
VCID-172p-q6d5-9ya3	Execution time for an unsuccessful login differs when using a non-existing username compared to using an existing one.	CVE-2024-36469
VCID-b8tm-2187-wkhz	When exporting media types, the password is exported in the YAML in plain text. This appears to be a best practices type issue and may have no actual impact. The user would need to have permissions to access the media types and therefore would be expected to have access to these passwords.	CVE-2024-36464
VCID-hfam-an1b-u7e3	A low privilege (regular) Zabbix user with API access can use SQL injection vulnerability in include/classes/api/CApiService.php to execute arbitrary SQL commands via the groupBy parameter.	CVE-2024-36465
VCID-mhx5-hcg2-wfc4	The endpoint /zabbix.php?action=export.valuemaps suffers from a Cross-Site Scripting vulnerability via the backurl parameter. This is caused by the reflection of user-supplied data without appropriate HTML escaping or output encoding. As a result, a JavaScript payload may be injected into the above endpoint causing it to be executed within the context of the victim's browser.	CVE-2024-45699
VCID-psak-h1x6-1kca	Zabbix API user.get returns all users that share common group with the calling user. This includes media and other information, such as login attempts, etc.	CVE-2024-42325

Vulnerability

Summary

Aliases

VCID-172p-q6d5-9ya3

Execution time for an unsuccessful login differs when using a non-existing username compared to using an existing one.

CVE-2024-36469

VCID-b8tm-2187-wkhz

When exporting media types, the password is exported in the YAML in plain text. This appears to be a best practices type issue and may have no actual impact. The user would need to have permissions to access the media types and therefore would be expected to have access to these passwords.

CVE-2024-36464

VCID-hfam-an1b-u7e3

A low privilege (regular) Zabbix user with API access can use SQL injection vulnerability in include/classes/api/CApiService.php to execute arbitrary SQL commands via the groupBy parameter.

CVE-2024-36465

VCID-mhx5-hcg2-wfc4

The endpoint /zabbix.php?action=export.valuemaps suffers from a Cross-Site Scripting vulnerability via the backurl parameter. This is caused by the reflection of user-supplied data without appropriate HTML escaping or output encoding. As a result, a JavaScript payload may be injected into the above endpoint causing it to be executed within the context of the victim's browser.

CVE-2024-45699

VCID-psak-h1x6-1kca

Zabbix API user.get returns all users that share common group with the calling user. This includes media and other information, such as login attempts, etc.

CVE-2024-42325

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-04-16T13:18:42.303616+00:00	Debian Importer	Fixing	VCID-hfam-an1b-u7e3	https://security-tracker.debian.org/tracker/data/json	38.4.0
2026-04-13T09:10:16.578497+00:00	Debian Importer	Fixing	VCID-hfam-an1b-u7e3	https://security-tracker.debian.org/tracker/data/json	38.3.0
2026-04-03T07:59:12.192352+00:00	Debian Importer	Fixing	VCID-mhx5-hcg2-wfc4	https://security-tracker.debian.org/tracker/data/json	38.1.0
2026-04-03T07:59:11.650004+00:00	Debian Importer	Fixing	VCID-psak-h1x6-1kca	https://security-tracker.debian.org/tracker/data/json	38.1.0
2026-04-03T07:59:11.593380+00:00	Debian Importer	Fixing	VCID-172p-q6d5-9ya3	https://security-tracker.debian.org/tracker/data/json	38.1.0
2026-04-03T07:59:11.356621+00:00	Debian Importer	Fixing	VCID-hfam-an1b-u7e3	https://security-tracker.debian.org/tracker/data/json	38.1.0
2026-04-03T07:59:11.304937+00:00	Debian Importer	Fixing	VCID-b8tm-2187-wkhz	https://security-tracker.debian.org/tracker/data/json	38.1.0