Public exploit available

Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2012-3435 — SQL Injection in Zabbix

CWE-89 — SQL Injection6 documents6 sources

Severity

7.5HIGHNVD

EPSS

1.8%

top 17.16%

CISA KEV

Not in KEV

Exploit

PoC available

Public exploit / PoC exists

Affected products

Zabbix Debian Zabbix

Timeline

PublishedAug 15

Latest updateMay 17

Description

SQL injection vulnerability in frontends/php/popup_bitem.php in Zabbix 1.8.15rc1 and earlier, and 2.x before 2.0.2rc1, allows remote attackers to execute arbitrary SQL commands via the itemid parameter.

CVSS vector

AV:N/AC:L/C:P/I:P/A:PExploitability: 10.0 | Impact: 6.4

Affected Packages3 packages

▶debiandebian/zabbix< zabbix 1:2.0.2+dfsg-1 (bookworm)

▶Debianzabbix/zabbix< 1:2.0.2+dfsg-1+3

▶NVDzabbix/zabbix1.8.15+48

Patches

Patch: git.zabbixzone.com ↗Patch: git.zabbixzone.com ↗

🔴Vulnerability Details

GHSA

GHSA-w8xh-986v-xwgh: SQL injection vulnerability in frontends/php/popup_bitem↗2022-05-17

▶

OSV

CVE-2012-3435: SQL injection vulnerability in frontends/php/popup_bitem↗2012-08-15

▶

💥Exploits & PoCs

Exploit-DB

Zabbix 2.0.1 - Session Extractor↗2012-07-24

▶

📋Vendor Advisories

Debian

CVE-2012-3435: zabbix - SQL injection vulnerability in frontends/php/popup_bitem.php in Zabbix 1.8.15rc1...↗2012

▶

💬Community

Bugzilla

CVE-2012-3435 zabbix: SQL injection vulnerability via the "itemid" parameter↗2012-07-27

▶