CVE-2024-22122
published 2024-08-12CVE-2024-22122: Zabbix allows to configure SMS notifications. AT command injection occurs on "Zabbix Server" because there is no validation of "Number" field on Web nor on…
PriorityP358critical9.1CVSS 3.1
AVNACLPRHUINSCCHIHAH
EPSS
1.61%
72.8th percentile
Zabbix allows to configure SMS notifications. AT command injection occurs on "Zabbix Server" because there is no validation of "Number" field on Web nor on Zabbix server side. Attacker can run test of SMS providing specially crafted phone number and execute additional AT commands on modem.
Affected
9 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | zabbix | < zabbix 1:5.0.44+dfsg-1+deb11u1 (bullseye) | zabbix 1:5.0.44+dfsg-1+deb11u1 (bullseye) |
| zabbix | zabbix | — | — |
| zabbix | zabbix | >= 0 < 1:5.0.44+dfsg-1+deb11u1 | 1:5.0.44+dfsg-1+deb11u1 |
| zabbix | zabbix | >= 0 < 1:7.0.0+dfsg-1 | 1:7.0.0+dfsg-1 |
| zabbix | zabbix | >= 0 < 1:7.0.0+dfsg-1 | 1:7.0.0+dfsg-1 |
| zabbix | zabbix | 5.0.0 – 5.0.42 | — |
| zabbix | zabbix | 6.0.0 – 6.0.30 | — |
| zabbix | zabbix | 6.4.0 – 6.4.15 | — |
| zabbix | zabbix | 7.0.0alpha1 – 7.0.0rc2 | — |
CVSS provenance
nvdv3.19.1CRITICALCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
osv9.1CRITICAL
vendor_debian3.0LOW
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Debian
CVE-2024-22122: zabbix - Zabbix allows to configure SMS notifications. AT command injection occurs on "Za...
vendor_debian·2024·CVSS 3.0
CVE-2024-22122 [LOW] CVE-2024-22122: zabbix - Zabbix allows to configure SMS notifications. AT command injection occurs on "Za...
Zabbix allows to configure SMS notifications. AT command injection occurs on "Zabbix Server" because there is no validation of "Number" field on Web nor on Zabbix server side. Attacker can run test of SMS providing specially crafted phone number and execute additional AT commands on modem.
Scope: local
bookworm: open
bullseye: resolved (fixed in 1:5.0.44+dfsg-1+deb11u1)
forky: resolved (fixed in 1:7.0.0+dfsg-1)
sid: resolved (fixed in 1:7.0.0+dfsg-1)
trixie: resolved (fixed in 1:7.0.0+dfsg-1)
GHSA
GHSA-m34r-jrv8-mwmv: Zabbix allows to configure SMS notifications
ghsa_unreviewed·2024-08-12
CVE-2024-22122 [LOW] CWE-77 GHSA-m34r-jrv8-mwmv: Zabbix allows to configure SMS notifications
Zabbix allows to configure SMS notifications. AT command injection occurs on "Zabbix Server" because there is no validation of "Number" field on Web nor on Zabbix server side. Attacker can run test of SMS providing specially crafted phone number and execute additional AT commands on modem.
OSV
CVE-2024-22122: Zabbix allows to configure SMS notifications
osv·2024-08-12·CVSS 9.1
CVE-2024-22122 [CRITICAL] CVE-2024-22122: Zabbix allows to configure SMS notifications
Zabbix allows to configure SMS notifications. AT command injection occurs on "Zabbix Server" because there is no validation of "Number" field on Web nor on Zabbix server side. Attacker can run test of SMS providing specially crafted phone number and execute additional AT commands on modem.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2024-08-12
Published