http://bugzilla.suse.com/show_bug.cgi?id=1019810 Bug ID: 1019810 Summary: [server:monitoring] CVE-2016-10134: Re: CVE Request: Zabbix: SQL injection vulnerabilities in "Latest data" Classification: openSUSE Product: openSUSE Distribution Version: Leap 42.3 Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Other Assignee: boris@steki.net Reporter: meissner@suse.com QA Contact: qa-bugs@suse.de Found By: Security Response Team Blocker: --- CVE-2016-10134 failure to sanitize input in the toggle_ids array in the latest.php page. https://support.zabbix.com/browse/ZBX-11023 https://bugs.debian.org/850936 Use CVE-2016-10134. The scope of this CVE does not include the "2016 Sep 07 18:41" comment of "could it be that jsrpc.php was affected, too ? if so, the changelog entry should probably be changed to either include all affected endpoints, or at least not exclusively mention latest data." If there is an exploitable problem other than with the latest.php?toggle_ids[]= attack vector, then it should have a separate CVE ID. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-10134 http://seclists.org/oss-sec/2017/q1/79 -- You are receiving this mail because: You are on the CC list for the bug.