A non-admin user can change or remove important features within the Zabbix Agent application, thus impacting the integrity and availability of the application.
In Zabbix Agent and Agent 2 on Windows, the OpenSSL configuration file is loaded from a path writable by low-privileged users, allowing malicious modification and potential local privilege escalation
A regular Zabbix user can search other users in their user group via Zabbix API by select fields the user does not have access to view. This allows data-mining some field values the user does not have
A bug in the code allows an attacker to sign a forged zbx_session cookie, which then allows them to sign in with admin permissions.
An administrator with restricted permissions can exploit the script execution functionality within the Monitoring Hosts section. The lack of default escaping for script parameters enabled this user ab
User with no permission to any of the Hosts can access and view host count & other statistics through System Information Widget in Global View Dashboard.
A regular Zabbix user with no permission to the Monitoring -> Problems view is still able to call the problem.view.refresh action and therefore still retrieve a list of active problems.
A non-admin user account on the Zabbix frontend with the default User role, or with any other role that gives API access can exploit this vulnerability. An SQLi exists in the CUser class in the addRel
Execution time for an unsuccessful login differs when using a non-existing username compared to using an existing one.
An authenticated user with API access (e.g.: user with default User role), more specifically a user with access to the user.update API endpoint is enough to be able to add themselves to any group (e.g
An authenticated Zabbix user (including Guest) is able to cause disproportionate CPU load on the webserver by sending specially crafted parameters to /imgstore.php, leading to potential denial of serv
An OS command injection vulnerability within the update functionality may allow an authenticated administrator to execute unauthorized arbitrary OS commands.
Users with administrative privileges ma
A missing authentication mechanism in the web management API components of Shenzhen Zhibotong Electronics ZBT WE2001 23.09.27 allows unauthenticated attackers on the local network to modify router and
An issue was discovered in Dynamicweb before 9.12.8. An attacker can add a new administrator user without authentication. This flaw exists due to a logic issue when determining if the setup phases of
A stored Cross-site Scripting (XSS) vulnerability affecting Change Governance in Product Manager from Release 3DEXPERIENCE R2022x through Release 3DEXPERIENCE R2025x allows an attacker to execute arbi
Zabbix server is vulnerable to a DoS vulnerability due to uncontrolled resource exhaustion. An attacker can send specially crafted requests to the server, which will cause the server to allocate an ex
A non-admin user can cause short-term disruption in Target VM availability in Citrix Provisioning
An authenticated Zabbix Super Admin can exploit the oauth.authorize action to read arbitrary files from the webserver leading to potential confidentiality loss.
In Tenable Agent versions prior to 10.8.5 on a Windows host, it was found that a non-administrative user could execute code with SYSTEM privilege.
The LDAP 'Bind password' value cannot be read after saving, but a Super Admin account can leak it by changing LDAP 'Host' to a rogue LDAP server. To mitigate this, the 'Bind password' value is now res
Page 1+ Next →