cbcvebase.
CVE-2013-5743
published 2019-12-11

CVE-2013-5743: Multiple SQL injection vulnerabilities in Zabbix 1.8.x before 1.8.18rc1, 2.0.x before 2.0.9rc1, and 2.1.x before 2.1.7.

PriorityP277critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
79.99%
99.6th percentile
Multiple SQL injection vulnerabilities in Zabbix 1.8.x before 1.8.18rc1, 2.0.x before 2.0.9rc1, and 2.1.x before 2.1.7.

Affected

8 ranges
VendorProductVersion rangeFixed in
debianzabbix< zabbix 1:2.0.8+dfsg-2 (bookworm)zabbix 1:2.0.8+dfsg-2 (bookworm)
zabbixzabbix>= 0 < 1:2.0.8+dfsg-21:2.0.8+dfsg-2
zabbixzabbix>= 0 < 1:2.0.8+dfsg-21:2.0.8+dfsg-2
zabbixzabbix>= 0 < 1:2.0.8+dfsg-21:2.0.8+dfsg-2
zabbixzabbix>= 0 < 1:2.0.8+dfsg-21:2.0.8+dfsg-2
zabbixzabbix1.8 – 1.8.17
zabbixzabbix2.0.0 – 2.0.8
zabbixzabbix2.1.0 – 2.1.7

Detection & IOCsextracted from sources · hover to see the quote

path/zabbix/httpmon.php
path/zabbix/scripts.php
path/zabbix/scripts_exec.php
  • Monitor GET requests to httpmon.php with an 'applications' parameter containing SQL injection payloads — this is the unauthenticated SQLi entry point used to extract a valid session ID.
  • Alert on POST requests to scripts.php that create a new script (form=Create+script) with type=0 and execute_on=1, which is the mechanism used to stage the remote code execution payload.
  • The exploit targets an unauthenticated SQL injection via the 'applications' GET parameter on httpmon.php to retrieve an active session ID, then escalates to RCE if the session belongs to an administrator.
  • ·The exploit's default TARGETURI is '/zabbix'; installations with a non-default base path will use a different URI prefix, so detection rules should account for variable base paths when matching httpmon.php, scripts.php, and scripts_exec.php.
  • ·Affected versions span three release branches; ensure coverage includes Zabbix 1.8.x before 1.8.18rc1, 2.0.x before 2.0.9rc1, and 2.1.x before 2.1.7.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv9.8CRITICAL
vendor_debian9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.