Vulnerability CVE-2010-5049 - CERT Civis.Net

Vulnerability Name:

CVE-2010-5049 (CCN-60500)

Assigned:

2010-05-24

Published:

2010-05-24

Updated:

2018-10-10

Summary:

SQL injection vulnerability in events.php in Zabbix 1.8.1 and earlier allows remote attackers to execute arbitrary SQL commands via the nav_time parameter.

CVSS v3 Severity:

7.3 High (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): Low Integrity (I): Low Availibility (A): Low

CVSS v2 Severity:

7.5 High (CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P)
6.5 Medium (Temporal CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P/E:H/RL:OF/RC:C)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Authentication (Au): None
Impact Metrics:	Confidentiality (C): Partial Integrity (I): Partial Availibility (A): Partial

7.5 High (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P)
6.5 Medium (CCN Temporal CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P/E:H/RL:OF/RC:C)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Athentication (Au): None
Impact Metrics:	Confidentiality (C): Partial Integrity (I): Partial Availibility (A): Partial

Vulnerability Type:

Vulnerability Consequences:

Data Manipulation

References:

Source: CCN
Type: BugTraq Mailing List, Mon May 24 2010 - 12:48:07 CDT
SQL injection vulnerability in Zabbix <= 1.8.1

Source: MITRE
Type: CNA
CVE-2010-5049

Source: MISC
Type: UNKNOWN
http://packetstormsecurity.org/1004-exploits/zabbix181-sql.txt

Source: CCN
Type: SA39119
Zabbix PHP Frontend "user" SQL Injection Vulnerability

Source: SECUNIA
Type: Vendor Advisory
39119

Source: CCN
Type: OSVDB ID: 65276
Zabbix events.php nav_time Parameter SQL Injection

Source: BUGTRAQ
Type: UNKNOWN
20100524 SQL injection vulnerability in Zabbix <= 1.8.1

Source: BID
Type: UNKNOWN
39752

Source: CCN
Type: BID-39752
ZABBIX 'nav_time' Parameter SQL Injection Vulnerability

Source: VUPEN
Type: Vendor Advisory
ADV-2010-1240

Source: CCN
Type: Zabbix Web site
Zabbix

Source: XF
Type: UNKNOWN
zabbix-events-sql-injection(60500)

Vulnerable Configuration:

Configuration 1:

cpe:/a:zabbix:zabbix:1.1:*:*:*:*:*:*:*

OR cpe:/a:zabbix:zabbix:1.1:beta10:*:*:*:*:*:*

OR cpe:/a:zabbix:zabbix:1.1:beta11:*:*:*:*:*:*

OR cpe:/a:zabbix:zabbix:1.1:beta12:*:*:*:*:*:*

OR cpe:/a:zabbix:zabbix:1.1:beta2:*:*:*:*:*:*

OR cpe:/a:zabbix:zabbix:1.1:beta3:*:*:*:*:*:*

OR cpe:/a:zabbix:zabbix:1.1:beta4:*:*:*:*:*:*

OR cpe:/a:zabbix:zabbix:1.1:beta5:*:*:*:*:*:*

OR cpe:/a:zabbix:zabbix:1.1:beta6:*:*:*:*:*:*

OR cpe:/a:zabbix:zabbix:1.1:beta7:*:*:*:*:*:*

OR cpe:/a:zabbix:zabbix:1.1:beta8:*:*:*:*:*:*

OR cpe:/a:zabbix:zabbix:1.1:beta9:*:*:*:*:*:*

OR cpe:/a:zabbix:zabbix:1.1.1:*:*:*:*:*:*:*

OR cpe:/a:zabbix:zabbix:1.1.2:*:*:*:*:*:*:*

OR cpe:/a:zabbix:zabbix:1.1.3:*:*:*:*:*:*:*

OR cpe:/a:zabbix:zabbix:1.1.4:*:*:*:*:*:*:*

OR cpe:/a:zabbix:zabbix:1.1.5:*:*:*:*:*:*:*

OR cpe:/a:zabbix:zabbix:1.1.6:*:*:*:*:*:*:*

OR cpe:/a:zabbix:zabbix:1.1.7:*:*:*:*:*:*:*

OR cpe:/a:zabbix:zabbix:1.3:beta:*:*:*:*:*:*

OR cpe:/a:zabbix:zabbix:1.3.1:beta:*:*:*:*:*:*

OR cpe:/a:zabbix:zabbix:1.3.2:beta:*:*:*:*:*:*

OR cpe:/a:zabbix:zabbix:1.3.3:beta:*:*:*:*:*:*

OR cpe:/a:zabbix:zabbix:1.3.4:beta:*:*:*:*:*:*

OR cpe:/a:zabbix:zabbix:1.3.5:beta:*:*:*:*:*:*

OR cpe:/a:zabbix:zabbix:1.3.6:beta:*:*:*:*:*:*

OR cpe:/a:zabbix:zabbix:1.3.7:beta:*:*:*:*:*:*

OR cpe:/a:zabbix:zabbix:1.3.8:beta:*:*:*:*:*:*

OR cpe:/a:zabbix:zabbix:1.4.2:*:*:*:*:*:*:*

OR cpe:/a:zabbix:zabbix:1.4.3:*:*:*:*:*:*:*

OR cpe:/a:zabbix:zabbix:1.4.4:*:*:*:*:*:*:*

OR cpe:/a:zabbix:zabbix:1.4.5:*:*:*:*:*:*:*

OR cpe:/a:zabbix:zabbix:1.4.6:*:*:*:*:*:*:*

OR cpe:/a:zabbix:zabbix:1.5:beta:*:*:*:*:*:*

OR cpe:/a:zabbix:zabbix:1.5.1:beta:*:*:*:*:*:*

OR cpe:/a:zabbix:zabbix:1.5.2:beta:*:*:*:*:*:*

OR cpe:/a:zabbix:zabbix:1.5.3:beta:*:*:*:*:*:*

OR cpe:/a:zabbix:zabbix:1.5.4:beta:*:*:*:*:*:*

OR cpe:/a:zabbix:zabbix:1.6:*:*:*:*:*:*:*

OR cpe:/a:zabbix:zabbix:1.6.1:*:*:*:*:*:*:*

OR cpe:/a:zabbix:zabbix:1.6.2:*:*:*:*:*:*:*

OR cpe:/a:zabbix:zabbix:1.6.3:*:*:*:*:*:*:*

OR cpe:/a:zabbix:zabbix:1.6.4:*:*:*:*:*:*:*

OR cpe:/a:zabbix:zabbix:1.6.5:*:*:*:*:*:*:*

OR cpe:/a:zabbix:zabbix:1.6.6:*:*:*:*:*:*:*

OR cpe:/a:zabbix:zabbix:1.6.7:*:*:*:*:*:*:*

OR cpe:/a:zabbix:zabbix:1.6.8:*:*:*:*:*:*:*

OR cpe:/a:zabbix:zabbix:1.6.9:*:*:*:*:*:*:*

OR cpe:/a:zabbix:zabbix:1.7:*:*:*:*:*:*:*

OR cpe:/a:zabbix:zabbix:1.7.1:*:*:*:*:*:*:*

OR cpe:/a:zabbix:zabbix:1.7.2:*:*:*:*:*:*:*

OR cpe:/a:zabbix:zabbix:1.7.3:*:*:*:*:*:*:*

OR cpe:/a:zabbix:zabbix:1.7.4:*:*:*:*:*:*:*

OR cpe:/a:zabbix:zabbix:1.8:*:*:*:*:*:*:*

OR cpe:/a:zabbix:zabbix:*:*:*:*:*:*:*:* (Version <= 1.8.1)

Configuration CCN 1:

cpe:/a:zabbix:zabbix:1.8.2:*:*:*:*:*:*:*

Denotes that component is vulnerable

Oval Definitions

Definition ID	Class	Title	Last Modified
oval:com.ubuntu.precise:def:20105049000	V	CVE-2010-5049 on Ubuntu 12.04 LTS (precise) - medium.	2011-11-22