PT-2026-27473 · Zabbix+1 · Zabbix+1
Big_John
·
Publicado
2026-03-24
·
Atualizado
2026-04-17
·
CVE-2026-23919
CVSS v4.0
7.1
Alta
| Vetor | AV:A/AC:L/AT:P/PR:H/UI:N/VC:H/VI:L/VA:L/SC:H/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X |
Name of the Vulnerable Software and Affected Versions
Zabbix versions prior to 7.4
Description
A design flaw in Zabbix Server/Proxy related to JavaScript (Duktape) context reuse can result in data leakage. Specifically, a regular Zabbix administrator may unintentionally expose data for hosts they are not authorized to access. The issue stems from the way JavaScript contexts are handled during script item processing, JavaScript reprocessing, and Webhooks. A fix has been implemented to make built-in Zabbix JavaScript objects read-only, but the use of global JavaScript variables is discouraged as their content could still be exposed.
Recommendations
Update to Zabbix version 7.4 or later.
Avoid using global JavaScript variables.
Correção
Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
Enumeração de Fraquezas
Identificadores relacionados
Produtos afetados
Red Os
Zabbix