Public exploit available

Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2009-4499 — SQL Injection in Zabbix

CWE-89 — SQL Injection5 documents5 sources

Severity

7.5HIGHNVD

EPSS

0.2%

top 52.34%

CISA KEV

Not in KEV

Exploit

PoC available

Public exploit / PoC exists

Affected products

Zabbix Debian Zabbix

Timeline

PublishedDec 31

Latest updateMay 2

Description

SQL injection vulnerability in the get_history_lastid function in the nodewatcher component in Zabbix Server before 1.6.8 allows remote attackers to execute arbitrary SQL commands via a crafted request, possibly related to the send_history_last_id function in zabbix_server/trapper/nodehistory.c.

CVSS vector

AV:N/AC:L/C:P/I:P/A:PExploitability: 10.0 | Impact: 6.4

Affected Packages3 packages

▶debiandebian/zabbix< zabbix 1:1.8-1 (bookworm)

▶Debianzabbix/zabbix< 1:1.8-1+3

▶NVDzabbix/zabbix1.6.7+9

🔴Vulnerability Details

GHSA

GHSA-xhfh-28gq-v6jp: SQL injection vulnerability in the get_history_lastid function in the nodewatcher component in Zabbix Server before 1↗2022-05-02

▶

OSV

CVE-2009-4499: SQL injection vulnerability in the get_history_lastid function in the nodewatcher component in Zabbix Server before 1↗2009-12-31

▶

💥Exploits & PoCs

Exploit-DB

Zabbix Server - Multiple Vulnerabilities↗2009-12-14

▶

📋Vendor Advisories

Debian

CVE-2009-4499: zabbix - SQL injection vulnerability in the get_history_lastid function in the nodewatche...↗2009

▶