An authenticated user with API access (e.g.: user with default User role), more specifically a user with access to the user.update API endpoint is enough to be able to add themselves to any group (e.g.: Zabbix Administrators), except to groups that are disabled or having restricted GUI access.
CVSS Score
7.5
EPSS Score
0.002
Published
2024-11-27
When a URL is added to the map element, it is recorded in the database with sequential IDs. Upon adding a new URL, the system retrieves the last sysmapelementurlid value and increments it by one. However, an issue arises when a user manually changes the sysmapelementurlid value by adding sysmapelementurlid + 1. This action prevents others from adding URLs to the map element.
CVSS Score
2.2
EPSS Score
0.001
Published
2024-11-26
The implementation of atob in "Zabbix JS" allows to create a string with arbitrary content and use it to access internal properties of objects.
CVSS Score
6.5
EPSS Score
0.004
Published
2024-11-26
Page 2