Justonezero

**Name of the Vulnerable Software and Affected Versions** Zabbix versions 6.4.0 through 6.4.15 Zabbix versions 7.0.0alpha1 through 7.0.0rc2 **Description** The issue is related to the lack of default escaping for script parameters in the Monitoring Hosts section of Zabbix, allowing an administrator with restricted permissions to execute arbitrary code via the Ping script. This can lead to infrastructure compromise. Over 87,000 results have been found to be potentially affected, mainly distributed in Brazil, the United States, and other countries. **Recommendations** For Zabbix versions 6.4.0 through 6.4.15, update to version 6.4.16rc1 or later. For Zabbix versions 7.0.0alpha1 through 7.0.0rc2, update to version 7.0.0rc3 or later. As a temporary workaround, consider disabling the script execution functionality within the Monitoring Hosts section until a patch is available. Restrict access to the Monitoring Hosts section to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Zabbix versions prior to 7.0.0rc2 **Description** The issue is related to uncontrolled resource consumption, where an attacker or system uses excessive resources, such as CPU, memory, or network bandwidth, without proper limitations or controls. This can cause a denial-of-service (DoS) attack or degrade the performance of the affected system. **Recommendations** For Zabbix versions prior to 7.0.0rc2, patch systems as soon as possible to mitigate the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.