[CLOSE] OSVDB ID : 39739 - Disclosed: 2007-06-01

Description:

(Description Provided by CVE) : Z-Blog 1.7 stores sensitive information under the web root with insufficient access control, which allows remote attackers to download a database via a direct request for zblog.mdb.

[CLOSE] OSVDB ID : 47876 - Disclosed: 2008-08-26

Description:

Z-Breaknews contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the 'single.php' script not properly sanitizing user-supplied input to the 'id' variable. This may allow an attacker to inject or manipulate SQL queries in the back-end database.

[CLOSE] OSVDB ID : 86948 - Disclosed: 2010-12-19

Description:

Z-Com, Inc. TG2521 routers use a single hardcoded SSL private key across all commercial devices. By purchasing a router and extracting the SSL key from the firmware, a remote attacker can use the key to decrypt traffic from any other device of the same model via a Man-in-The-Middle (MiTM) attack. This may give the attacker access to a wide variety of sensitive information including the credentials required to access the administrative interface of the device.

[CLOSE] OSVDB ID : 11098 - Disclosed: 1996-07-16

Description:

(Description Provided by CVE) : A design flaw in the Z-Modem protocol allows the remote sender of a file to execute arbitrary programs on the client, as implemented in rz in the rzsz module of FreeBSD before 2.1.5, and possibly other programs.

[CLOSE] OSVDB ID : 66144 - Disclosed: 2010-01-09

Description:

Unknown / Incomplete

[CLOSE] OSVDB ID : 71006 - Disclosed: 2011-02-22

Description:

Z-Vote Plugin for WordPress contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the wp-content/plugins/zvote/zvote.php script not properly sanitizing user-supplied input to the 'zvote' parameter. This may allow an attacker to inject or manipulate SQL queries in the back-end database, allowing for the manipulation or disclosure of arbitrary data.

[CLOSE] OSVDB ID : 52272 - Disclosed: 2008-12-01

Description:

Z1Exchange contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the 'edit.php' script not properly sanitizing user-supplied input to the 'site' parameter. This may allow an attacker to inject or manipulate SQL queries in the back-end database.

[CLOSE] OSVDB ID : 52304 - Disclosed: 2008-12-01

Description:

Z1Exchange contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the 'showads.php' script not properly sanitizing user-supplied input to the 'id' parameter. This may allow an attacker to inject or manipulate SQL queries in the back-end database.

[CLOSE] OSVDB ID : 52308 - Disclosed: 2008-12-02

Description:

Z1Exchange contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate 'id' parameters upon submission to the 'showads.php' script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

[CLOSE] OSVDB ID : 74275 - Disclosed: 2011-07-28

Description:

Zabbix contains a flaw that allows a remote cross-site scripting (XSS) attack. This flaw exists because the application does not validate the 'backurl' parameter upon submission to the acknow.php script. This may allow a user to create a specially crafted URL that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server.

[CLOSE] OSVDB ID : 60956 - Disclosed: 2009-09-10

Description:

Zabbix Agent on FreeBSD and Solaris contains a flaw that may allow an attacker to execute arbitrary code. The issue is triggered when a specially crafted request is sent from the IP address of a legitimate Zabbix server.

[CLOSE] OSVDB ID : 65276 - Disclosed: 2010-05-24

Description:

Zabbix contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the events.php script not properly sanitizing user-supplied input to the 'nav_time' parameter. This may allow an attacker to inject or manipulate SQL queries in the back-end database, allowing for the manipulation or disclosure of arbitrary data.

[CLOSE] OSVDB ID : 66647 - Disclosed: 2010-07-22

Description:

(Description Provided by CVE) : Multiple cross-site scripting (XSS) vulnerabilities in the formatQuery function in frontends/php/include/classes/class.curl.php in Zabbix before 1.8.3rc1 allow remote attackers to inject arbitrary web script or HTML via the (1) filter_set, (2) show_details, (3) filter_rst, or (4) txt_select parameters to the triggers page (tr_status.php). NOTE: some of these details are obtained from third party information.

[CLOSE] OSVDB ID : 77771 - Disclosed: 2011-12-14

Description:

Zabbix contains a flaw that allows a remote cross-site scripting (XSS) attack. This flaw exists because the application does not validate the 'gname' (Host name) parameter upon submission to the hostgroups.php script. This may allow a user to create a specially crafted URL that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server.

[CLOSE] OSVDB ID : 78087 - Disclosed: 2011-12-14

Description:

Zabbix contains a flaw that allows a remote cross-site scripting (XSS) attack. This flaw exists because the application does not validate the 'update' action upon submission to the hosts.php script. This may allow a user to create a specially crafted URL that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server.

[CLOSE] OSVDB ID : 60968 - Disclosed: 2009-09-10

Description:

(Description Provided by CVE) : The zbx_get_next_field function in libs/zbxcommon/str.c in Zabbix Server before 1.6.8 allows remote attackers to cause a denial of service (crash) via a request that lacks expected separators, which triggers a NULL pointer dereference, as demonstrated using the Command keyword.

[CLOSE] OSVDB ID : 78086 - Disclosed: 2011-12-14

Description:

Zabbix contains a flaw that allows a remote cross-site scripting (XSS) attack. This flaw exists because the application does not validate the 'update' action upon submission to the maintenance.php script. This may allow a user to create a specially crafted URL that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server.

[CLOSE] OSVDB ID : 56145 - Disclosed: 2009-03-30

Description:

Unknown / Incomplete

[CLOSE] OSVDB ID : 56146 - Disclosed: 2009-03-30

Description:

Unknown / Incomplete

[CLOSE] OSVDB ID : 56147 - Disclosed: 2009-03-30

Description:

Unknown / Incomplete

[CLOSE] OSVDB ID : 29575 - Disclosed: 2006-10-06

Description:

(Description Provided by CVE) : Multiple format string vulnerabilities in zabbix before 20061006 allow attackers to cause a denial of service (application crash) and possibly execute arbitrary code via format string specifiers in information that would be recorded in the system log using (1) zabbix_log or (2) zabbix_syslog.

[CLOSE] OSVDB ID : 29576 - Disclosed: 2006-10-06

Description:

(Description Provided by CVE) : Multiple buffer overflows in zabbix before 20061006 allow attackers to cause a denial of service (application crash) and possibly execute arbitrary code via long strings to the (1) zabbix_log and (2) zabbix_syslog functions.

[CLOSE] OSVDB ID : 60965 - Disclosed: 2009-09-10

Description:

(Description Provided by CVE) : The node_process_command function in Zabbix Server before 1.8 allows remote attackers to execute arbitrary commands via a crafted request.

[CLOSE] OSVDB ID : 63456 - Disclosed: 2010-04-01

Description:

Zabbix PHP Frontend contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the 'api_jsonrpc.php' script not properly sanitizing user-supplied input to the 'user' JSON parameter. This may allow an attacker to inject or manipulate SQL queries in the back-end database, allowing for the manipulation or disclosure of arbitrary data.

[CLOSE] OSVDB ID : 52403 - Disclosed: 2009-03-03

Description:

Unknown / Incomplete

[CLOSE] OSVDB ID : 52405 - Disclosed: 2009-03-03

Description:

ZABBIX PHP Frontend contains a flaw that may allow a remote attacker to execute arbitrary commands or code. The issue is due to the 'locales.php' script not properly sanitizing user input, specifically directory traversal style attacks (e.g., ../../) supplied to the 'srclang' parameter. This may allow an attacker to include a file from the targeted host that contains arbitrary commands or code that will be executed by the vulnerable script. Such attacks are limited due to the script only calling files already on the target host. In addition, this flaw can potentially be used to disclose the contents of any file on the system accessible by the web server.

[CLOSE] OSVDB ID : 52404 - Disclosed: 2009-03-03

Description:

Unknown / Incomplete

[CLOSE] OSVDB ID : 77509 - Disclosed: 2011-11-24

Description:

Zabbix contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the popup.php script not properly sanitizing user-supplied input to the 'only_hostid' parameter. This may allow an attacker to inject or manipulate SQL queries in the back-end database, allowing for the manipulation or disclosure of arbitrary data.

[CLOSE] OSVDB ID : 74665 - Disclosed: 2011-05-25

Description:

(Description Provided by CVE) : Zabbix before 1.8.6 allows remote attackers to obtain sensitive information via an invalid srcfld2 parameter to popup.php, which reveals the installation path in an error message.

[CLOSE] OSVDB ID : 74663 - Disclosed: 2011-05-25

Description:

(Description Provided by CVE) : popup.php in Zabbix before 1.8.7 allows remote attackers to read the contents of arbitrary database tables via a modified srctbl parameter.