CVE-2024-45699

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2024-45699
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-45699.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2024-45699
Downstream
Published
2025-04-02T07:15:41.427Z
Modified
2026-02-05T05:49:20.721593Z
Severity
  • 5.4 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N CVSS Calculator
Summary
[none]
Details

The endpoint /zabbix.php?action=export.valuemaps suffers from a Cross-Site Scripting vulnerability via the backurl parameter. This is caused by the reflection of user-supplied data without appropriate HTML escaping or output encoding. As a result, a JavaScript payload may be injected into the above endpoint causing it to be executed within the context of the victim's browser.

References

Affected packages

Git / github.com/zabbix/zabbix

Affected ranges

Type
GIT
Repo
https://github.com/zabbix/zabbix
Events
Introduced
49955f1fb5c9168a8a24b053f7ade6b3d903143c
Fixed
926aefd76a6a4f70c01e8e9bb8e2ca30d17c3940
Introduced
5203d2ea7d901cd33d148f20586e2155901a7faa
Fixed
ba81419771e13671f487f460587ba6b44b8a38bb

Affected versions

6.*
6.0.0
6.0.1
6.0.10
6.0.10rc1
6.0.10rc2
6.0.11
6.0.11rc1
6.0.11rc2
6.0.12
6.0.12rc1
6.0.12rc2
6.0.13
6.0.13rc1
6.0.14
6.0.14rc1
6.0.14rc2
6.0.15
6.0.15rc1
6.0.15rc2
6.0.16
6.0.16rc1
6.0.17
6.0.17rc1
6.0.17rc2
6.0.18
6.0.18rc1
6.0.19
6.0.19rc1
6.0.1rc1
6.0.1rc2
6.0.1rc3
6.0.1rc4
6.0.2
6.0.20
6.0.20rc1
6.0.21
6.0.21rc1
6.0.22
6.0.22rc1
6.0.23
6.0.23rc1
6.0.25
6.0.25rc1
6.0.26
6.0.26rc1
6.0.27
6.0.27rc1
6.0.28
6.0.28rc1
6.0.29
6.0.29rc1
6.0.2rc1
6.0.3
6.0.30
6.0.30rc1
6.0.31
6.0.31rc1
6.0.32
6.0.32rc1
6.0.33
6.0.33rc1
6.0.34
6.0.34rc1
6.0.34rc2
6.0.35
6.0.35rc1
6.0.36
6.0.36rc1
6.0.37rc1
6.0.3rc1
6.0.4
6.0.4rc1
6.0.5
6.0.5rc1
6.0.6
6.0.6rc1
6.0.7
6.0.7rc1
6.0.8
6.0.8rc1
6.0.8rc2
6.0.9
6.0.9rc1
6.0.9rc2
7.*
7.0.0
7.0.1
7.0.1rc1
7.0.1rc2
7.0.2
7.0.2rc1
7.0.2rc2
7.0.3
7.0.3rc1
7.0.4
7.0.4rc1
7.0.5
7.0.5rc1
7.0.6
7.0.6rc1
7.0.7rc1

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-45699.json"
vanir_signatures 
[
    {
        "signature_type": "Line",
        "signature_version": "v1",
        "source": "https://github.com/zabbix/zabbix/commit/926aefd76a6a4f70c01e8e9bb8e2ca30d17c3940",
        "digest": {
            "line_hashes": [
                "195514718859809000358301802219281012230",
                "51124480710887780062975113423557880969",
                "287075507978043303153370889250007827002",
                "257324547543244172457020139422772928411",
                "24845084690581143724512006286758187733",
                "125430820405982211301419777429452602815"
            ],
            "threshold": 0.9
        },
        "id": "CVE-2024-45699-50c7b013",
        "deprecated": false,
        "target": {
            "file": "src/zabbix_java/src/com/zabbix/gateway/GeneralInformation.java"
        }
    },
    {
        "signature_type": "Line",
        "signature_version": "v1",
        "source": "https://github.com/zabbix/zabbix/commit/ba81419771e13671f487f460587ba6b44b8a38bb",
        "digest": {
            "line_hashes": [
                "195514718859809000358301802219281012230",
                "51124480710887780062975113423557880969",
                "332272145517161978226090846588150270362",
                "79969020919049438165179474254006750396",
                "43325251037359491260513668163672702023",
                "91179429342009451467044206663561981771"
            ],
            "threshold": 0.9
        },
        "id": "CVE-2024-45699-a00919fb",
        "deprecated": false,
        "target": {
            "file": "src/zabbix_java/src/com/zabbix/gateway/GeneralInformation.java"
        }
    }
]