CVE-2024-36467

HIGH EPSS 49.7%

Published Nov 27, 20241y ago · Modified Jun 17, 20261w ago

8.8 CVSS 3.1

High

Published Nov 27, 2024 1y ago

Last Modified Jun 17, 2026 1w ago

Description

An authenticated user with API access (e.g.: user with default User role), more specifically a user with access to the user.update API endpoint is enough to be able to add themselves to any group (e.g.: Zabbix Administrators), except to groups that are disabled or having restricted GUI access.

CVSS Details

Base Score

8.8

Exploitability

2.8

Impact

5.9

Vector string

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector Network

Attack Complexity Low

Privileges Required Low

User Interaction None

Scope Unchanged

Confidentiality High

Integrity High

Availability High

Threat Intelligence

EPSS Exploit Probability

49.7% percentile

Exploit & Patch Status

No Known Exploit

No Patch Available

Weaknesses 1

CWE-285

Affected Products 4

Vendor	Product	Version	Range
zabbix	zabbix	*	≥5.0.0 – <5.0.43
zabbix	zabbix	*	≥6.0.0 – <6.0.33
zabbix	zabbix	*	≥6.4.0 – <6.4.18
zabbix	zabbix	*	≥7.0.0 – <7.0.2

References 1

support.zabbix.com https://support.zabbix.com/browse/ZBX-25614

Vendor Advisory

Remediation

No remediation data recorded yet

Check vendor advisories and the NVD entry for patch availability.