Zabbix Server and Proxy Insufficient Isolation of JavaScript Execution Context Vulnerability

A vulnerability exists in Zabbix Server and Proxy versions 6.0.0 through 6.0.40, 7.0.0 through 7.0.18, 7.2.0 through 7.2.12, and 7.4.0 through 7.4.2, due to the reuse of JavaScript contexts by Duktape for performance optimization. This context reuse can result in a confidentiality breach, allowing a regular (non-super) Zabbix administrator to access data from hosts they are not authorized to. Although a patch has been implemented to make Zabbix's built-in JavaScript objects read-only, it is advised to avoid using global JavaScript variables as they could inadvertently leak information.

Impact

Exploitation of this vulnerability could lead to unauthorized data access, allowing a regular Zabbix administrator to read global JavaScript variables or overwrite built-in JavaScript functions, which could then be executed on other objects.

Remediation

Users can update to Zabbix Server or Proxy versions 6.0.41, 7.0.19, 7.2.13, or 7.4.3. Additionally, it is recommended to ensure that JavaScript item preprocessing scripts do not contain sensitive information in global variables.