Mailinglist Archive: opensuse-bugs (4247 mails)

< Previous Next >
[Bug 1019810] New: [server:monitoring] CVE-2016-10134: Re: CVE Request: Zabbix: SQL injection vulnerabilities in "Latest data"
  • From: bugzilla_noreply@xxxxxxxxxx
  • Date: Fri, 13 Jan 2017 08:46:06 +0000
  • Message-id: <bug-1019810-21960@http.bugzilla.suse.com/>
http://bugzilla.suse.com/show_bug.cgi?id=1019810


Bug ID: 1019810
Summary: [server:monitoring] CVE-2016-10134: Re: CVE Request:
Zabbix: SQL injection vulnerabilities in "Latest data"
Classification: openSUSE
Product: openSUSE Distribution
Version: Leap 42.3
Hardware: Other
OS: Other
Status: NEW
Severity: Normal
Priority: P5 - None
Component: Other
Assignee: boris@xxxxxxxxx
Reporter: meissner@xxxxxxxx
QA Contact: qa-bugs@xxxxxxx
Found By: Security Response Team
Blocker: ---

CVE-2016-10134

failure to sanitize input in the toggle_ids
array in the latest.php page.


https://support.zabbix.com/browse/ZBX-11023
https://bugs.debian.org/850936


Use CVE-2016-10134.

The scope of this CVE does not include the "2016 Sep 07 18:41" comment
of "could it be that jsrpc.php was affected, too ? if so, the
changelog entry should probably be changed to either include all
affected endpoints, or at least not exclusively mention latest data."
If there is an exploitable problem other than with the
latest.php?toggle_ids[]= attack vector, then it should have a separate
CVE ID.



References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-10134
http://seclists.org/oss-sec/2017/q1/79

--
You are receiving this mail because:
You are on the CC list for the bug.
< Previous Next >