CVE-2024-22120

Description

Zabbix server can perform command execution for configured scripts. After command is executed, audit entry is added to "Audit Log". Due to "clientip" field is not sanitized, it is possible to injection SQL into "clientip" and exploit time based blind SQL injection.

How to fix CVE-2024-22120

No fixed version has been published yet. Mitigate by removing the affected package or applying upstream guidance from the references below.

Debian/zabbix—no fix listed

Is CVE-2024-22120 being exploited?

Likely — EPSS is 91.9%, placing CVE-2024-22120 in the top tier of vulnerabilities by exploitation probability. Prioritise patching.

Affected packages (1)

from 0

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH8.8	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References (1)

ADVISORYsecurity-tracker.debian.org/tracker/CVE-2024-22120