All errata/p11/ALT-PU-2026-8730-2
ALT-PU-2026-8730-2

Package update zabbix in branch p11

Version7.0.27-alt0.p11.1
Task#420184
Published2026-06-10
Max severityHIGH
Severity:

Closed issues (7)

BDU:2026-05709
MEDIUM6.4

Уязвимость универсальной системы мониторинга Zabbix, связанная с недостатками механизма авторизации, позволяющая нарушителю получить несанкционированный доступ к защищаемой информации

Published: 2026-04-21Modified: 2026-06-18
CVSS 3.xMEDIUM 6.4
CVSS:3.x/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:L
CVSS 2.0MEDIUM 5.5
CVSS:2.0/AV:N/AC:L/Au:S/C:N/I:P/A:P
References
BDU:2026-06431
HIGH8.4

Уязвимость пользовательского интерфейса универсальной системы мониторинга Zabbix, позволяющая нарушителю выполнить произвольный код

Published: 2026-05-07Modified: 2026-06-18
CVSS 3.xHIGH 8.4
CVSS:3.x/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H
CVSS 2.0CRITICAL 9.0
CVSS:2.0/AV:N/AC:L/Au:S/C:C/I:C/A:C
References
BDU:2026-06432
HIGH8.4

Уязвимость пользовательского интерфейса универсальной системы мониторинга Zabbix, позволяющая нарушителю выполнить произвольный JavaScript-код

Published: 2026-05-07Modified: 2026-06-18
CVSS 3.xHIGH 8.4
CVSS:3.x/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H
CVSS 2.0CRITICAL 9.0
CVSS:2.0/AV:N/AC:L/Au:S/C:C/I:C/A:C
References
CVE-2026-23925
MEDIUM5.1

An authenticated Zabbix user (User role) with template/host write permissions is able to create objects via the configuration.import API. This can lead to confidentiality loss by creating unauthorized hosts. Note that the User role is normally not sufficient to create and edit templates/hosts even with write permissions.

Published: 2026-03-06Modified: 2026-06-17
CVSS 3.xHIGH 8.1
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
CVSS 4.0MEDIUM 5.1
CVSS:4.0/CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:L/SC:H/SI:N/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
References
CVE-2026-23926
HIGH7.3

An authenticated (non-super) administrator can create a maintenance period with a JavaScript payload that is executed by any user that opens tooltip for that maintenance period in the Host navigator widget. This can allow the attacker to perform unauthorized actions depending on which user opens the tooltip.

Published: 2026-05-06Modified: 2026-06-17
CVSS 4.0HIGH 7.3
CVSS:4.0/CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
References
CVE-2026-23927
MEDIUM5.1

A user able to connect to Agent 2 can inject an Oracle TNS connection string via the 'service' parameter. This can lead to Agent 2 connecting to an attacker-controlled server and leaking Oracle database credentials if they are saved in a named session.

Published: 2026-05-06Modified: 2026-06-17
CVSS 4.0MEDIUM 5.1
CVSS:4.0/CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:N/VI:L/VA:N/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
References
CVE-2026-23928
HIGH7.3

The Item history widget (in Zabbix 7.0+) or the Plain text widget (in Zabbix 6.0) can execute injected JavaScript when HTML display is enabled. This can allow an attacker to perform unauthorized actions depending on which user opens a dashboard containing these widgets. The malicious JavaScript would have to come from a monitored host controlled by the attacker. Note: the Item history widget is a replacement for the Plain text widget since Zabbix 7.0.

Published: 2026-05-06Modified: 2026-06-17
CVSS 4.0HIGH 7.3
CVSS:4.0/CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
References