CVE-2024-42327

Description

A non-admin user account on the Zabbix frontend with the default User role, or with any other role that gives API access can exploit this vulnerability. An SQLi exists in the CUser class in the addRelatedObjects function, this function is being called from the CUser.get function which is available for every user who has API access.

How to fix CVE-2024-42327

No fixed version has been published yet. Mitigate by removing the affected package or applying upstream guidance from the references below.

—no fix listed

Is CVE-2024-42327 being exploited?

Likely — EPSS is 91.4%, placing CVE-2024-42327 in the top tier of vulnerabilities by exploitation probability. Prioritise patching.

Affected packages (1)

from 0

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	CRITICAL9.9	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

References (1)

ADVISORYsecurity-tracker.debian.org/tracker/CVE-2024-42327