Primary

Context

Zabbix API SQL Injection Vulnerability

Vulnerability

Patched

A SQL injection vulnerability has been identified in the Zabbix API, specifically in the file 'include/classes/api/CApiService.php'. This vulnerability allows low-privilege (regular) Zabbix users with API access to execute arbitrary SQL commands by manipulating the 'groupBy' parameter. The issue arises from improper neutralization of special elements used in SQL commands, creating an opportunity for SQL injection attacks.

Impact

Exploitation of this vulnerability allows for SQL injection, where an authenticated Zabbix API user can inject malicious SQL into the database query. This could potentially lead to unauthorized data access or manipulation.

Remediation

Users can upgrade to Zabbix versions 7.0.8rc2, 7.2.2rc1, or 7.4.0alpha1 to address this vulnerability.

Added: Jun 9, 2025, 7:46 PM

Updated: Jun 9, 2025, 7:46 PM

Vulnerability Rating

Custom Algorithm

spread

6.2

impact

5.0

exploitability

5.2

remediation

7.7

relevance

0.0

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

6.2

impact

5.0

exploitability

5.2

remediation

7.7

relevance

0.0

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Zabbix API SQL Injection Vulnerability

Vulnerability

Impact

Remediation

Affected Products

Zabbix

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating