CVE-2016-10742 — zabbix - security update

Description

Zabbix before 2.2.21rc1, 3.x before 3.0.13rc1, 3.1.x and 3.2.x before 3.2.10rc1, and 3.3.x and 3.4.x before 3.4.4rc1 allows open redirect via the request parameter.

How to fix CVE-2016-10742

To remediate CVE-2016-10742, upgrade the affected package to a fixed version below.

Debian/zabbix—upgrade to 1:3.0.17+dfsg-1 or later
Debian/zabbix—upgrade to 1:2.2.23+dfsg-0+deb8u1 or later
—upgrade to 1:3.0.31+dfsg-0+deb9u1 or later

Is CVE-2016-10742 being exploited?

Low — EPSS is 0.4%, meaning exploitation activity has not been observed at scale.

Affected packages (3)

from 0, < 1:3.0.17+dfsg-1
from 0, < 1:2.2.23+dfsg-0+deb8u1
from 0, < 1:3.0.31+dfsg-0+deb9u1

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM6.1	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

References (1)

ADVISORYsecurity-tracker.debian.org/tracker/CVE-2016-10742