Vulnerability Name:
CVE-2012-3435 (CCN-77195)
Assigned:
2012-07-17
Published:
2012-07-17
Updated:
2017-08-29
Summary:
SQL injection vulnerability in frontends/php/popup_bitem.php in Zabbix 1.8.15rc1 and earlier, and 2.x before 2.0.2rc1, allows remote attackers to execute arbitrary SQL commands via the itemid parameter.
CVSS v3 Severity:
7.3 High
(CCN CVSS v3.1 Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
)
Exploitability Metrics:
Attack Vector (AV):
Network
Attack Complexity (AC):
Low
Privileges Required (PR):
None
User Interaction (UI):
None
Scope:
Scope (S):
Unchanged
Impact Metrics:
Confidentiality (C):
Low
Integrity (I):
Low
Availibility (A):
Low
CVSS v2 Severity:
7.5 High
(CVSS v2 Vector:
AV:N/AC:L/Au:N/C:P/I:P/A:P
)
6.5 Medium
(Temporal CVSS v2 Vector:
AV:N/AC:L/Au:N/C:P/I:P/A:P/E:H/RL:OF/RC:C
)
Exploitability Metrics:
Access Vector (AV):
Network
Access Complexity (AC):
Low
Authentication (Au):
None
Impact Metrics:
Confidentiality (C):
Partial
Integrity (I):
Partial
Availibility (A):
Partial
7.5 High
(CCN CVSS v2 Vector:
AV:N/AC:L/Au:N/C:P/I:P/A:P
)
6.5 Medium
(CCN Temporal CVSS v2 Vector:
AV:N/AC:L/Au:N/C:P/I:P/A:P/E:H/RL:OF/RC:C
)
Exploitability Metrics:
Access Vector (AV):
Network
Access Complexity (AC):
Low
Athentication (Au):
None
Impact Metrics:
Confidentiality (C):
Partial
Integrity (I):
Partial
Availibility (A):
Partial
Vulnerability Type:
CWE-89
Vulnerability Consequences:
Data Manipulation
References:
Source: MITRE
Type: CNA
CVE-2012-3435
Source: CONFIRM
Type: Exploit, Patch
http://git.zabbixzone.com/zabbix2.0/.git/commitdiff/333a3a5542ba8a2c901c24b7bf5440f41f1f4f54
Source: OSVDB
Type: UNKNOWN
84127
Source: CCN
Type: SA49809
Zabbix "itemid" SQL Injection Vulnerability
Source: SECUNIA
Type: Vendor Advisory
49809
Source: SECUNIA
Type: UNKNOWN
50475
Source: DEBIAN
Type: UNKNOWN
DSA-2539
Source: DEBIAN
Type: DSA-2539
zabbix -- SQL injection
Source: EXPLOIT-DB
Type: Exploit
20087
Source: MLIST
Type: UNKNOWN
[oss-security] 20120727 Zabbix SQL injection flaw (CVE request)
Source: MLIST
Type: UNKNOWN
[oss-security] 20120728 Re: Zabbix SQL injection flaw (CVE request)
Source: CCN
Type: OSVDB ID: 84127
Zabbix popup_bitem.php itemid Parameter SQL Injection
Source: BID
Type: Exploit
54661
Source: CCN
Type: BID-54661
ZABBIX 'itemid' Parameter SQL Injection Vulnerability
Source: CCN
Type: Zabbix Web Site
Homepage of Zabbix :: An Enterprise-Class Open Source Distributed Monitoring Solution
Source: XF
Type: UNKNOWN
zabbix-popupbitem-sql-injection(77195)
Source: XF
Type: UNKNOWN
zabbix-popupbitem-sql-injection(77195)
Source: CONFIRM
Type: UNKNOWN
https://support.zabbix.com/browse/ZBX-5348
Source: EXPLOIT-DB
Type: EXPLOIT
EDB-ID: 20087
Vulnerable Configuration:
Configuration 1
:
cpe:/a:zabbix:zabbix:1.1:*:*:*:*:*:*:*
OR
cpe:/a:zabbix:zabbix:1.1:beta10:*:*:*:*:*:*
OR
cpe:/a:zabbix:zabbix:1.1:beta11:*:*:*:*:*:*
OR
cpe:/a:zabbix:zabbix:1.1:beta12:*:*:*:*:*:*
OR
cpe:/a:zabbix:zabbix:1.1:beta2:*:*:*:*:*:*
OR
cpe:/a:zabbix:zabbix:1.1:beta3:*:*:*:*:*:*
OR
cpe:/a:zabbix:zabbix:1.1:beta4:*:*:*:*:*:*
OR
cpe:/a:zabbix:zabbix:1.1:beta5:*:*:*:*:*:*
OR
cpe:/a:zabbix:zabbix:1.1:beta6:*:*:*:*:*:*
OR
cpe:/a:zabbix:zabbix:1.1:beta7:*:*:*:*:*:*
OR
cpe:/a:zabbix:zabbix:1.1:beta8:*:*:*:*:*:*
OR
cpe:/a:zabbix:zabbix:1.1:beta9:*:*:*:*:*:*
OR
cpe:/a:zabbix:zabbix:1.1.1:*:*:*:*:*:*:*
OR
cpe:/a:zabbix:zabbix:1.1.2:*:*:*:*:*:*:*
OR
cpe:/a:zabbix:zabbix:1.1.3:*:*:*:*:*:*:*
OR
cpe:/a:zabbix:zabbix:1.1.4:*:*:*:*:*:*:*
OR
cpe:/a:zabbix:zabbix:1.1.5:*:*:*:*:*:*:*
OR
cpe:/a:zabbix:zabbix:1.1.6:*:*:*:*:*:*:*
OR
cpe:/a:zabbix:zabbix:1.1.7:*:*:*:*:*:*:*
OR
cpe:/a:zabbix:zabbix:1.3:beta:*:*:*:*:*:*
OR
cpe:/a:zabbix:zabbix:1.3.1:beta:*:*:*:*:*:*
OR
cpe:/a:zabbix:zabbix:1.3.2:beta:*:*:*:*:*:*
OR
cpe:/a:zabbix:zabbix:1.3.3:beta:*:*:*:*:*:*
OR
cpe:/a:zabbix:zabbix:1.3.4:beta:*:*:*:*:*:*
OR
cpe:/a:zabbix:zabbix:1.3.5:beta:*:*:*:*:*:*
OR
cpe:/a:zabbix:zabbix:1.3.6:beta:*:*:*:*:*:*
OR
cpe:/a:zabbix:zabbix:1.3.7:beta:*:*:*:*:*:*
OR
cpe:/a:zabbix:zabbix:1.3.8:beta:*:*:*:*:*:*
OR
cpe:/a:zabbix:zabbix:1.4.2:*:*:*:*:*:*:*
OR
cpe:/a:zabbix:zabbix:1.4.3:*:*:*:*:*:*:*
OR
cpe:/a:zabbix:zabbix:1.4.4:*:*:*:*:*:*:*
OR
cpe:/a:zabbix:zabbix:1.4.5:*:*:*:*:*:*:*
OR
cpe:/a:zabbix:zabbix:1.4.6:*:*:*:*:*:*:*
OR
cpe:/a:zabbix:zabbix:1.5:beta:*:*:*:*:*:*
OR
cpe:/a:zabbix:zabbix:1.5.1:beta:*:*:*:*:*:*
OR
cpe:/a:zabbix:zabbix:1.5.2:beta:*:*:*:*:*:*
OR
cpe:/a:zabbix:zabbix:1.5.3:beta:*:*:*:*:*:*
OR
cpe:/a:zabbix:zabbix:1.5.4:beta:*:*:*:*:*:*
OR
cpe:/a:zabbix:zabbix:1.6:*:*:*:*:*:*:*
OR
cpe:/a:zabbix:zabbix:1.6.1:*:*:*:*:*:*:*
OR
cpe:/a:zabbix:zabbix:1.6.2:*:*:*:*:*:*:*
OR
cpe:/a:zabbix:zabbix:1.6.3:*:*:*:*:*:*:*
OR
cpe:/a:zabbix:zabbix:1.6.4:*:*:*:*:*:*:*
OR
cpe:/a:zabbix:zabbix:1.6.5:*:*:*:*:*:*:*
OR
cpe:/a:zabbix:zabbix:1.6.6:*:*:*:*:*:*:*
OR
cpe:/a:zabbix:zabbix:1.6.7:*:*:*:*:*:*:*
OR
cpe:/a:zabbix:zabbix:1.6.8:*:*:*:*:*:*:*
OR
cpe:/a:zabbix:zabbix:1.6.9:*:*:*:*:*:*:*
OR
cpe:/a:zabbix:zabbix:1.7:*:*:*:*:*:*:*
OR
cpe:/a:zabbix:zabbix:1.7.1:*:*:*:*:*:*:*
OR
cpe:/a:zabbix:zabbix:1.7.2:*:*:*:*:*:*:*
OR
cpe:/a:zabbix:zabbix:1.7.3:*:*:*:*:*:*:*
OR
cpe:/a:zabbix:zabbix:1.7.4:*:*:*:*:*:*:*
OR
cpe:/a:zabbix:zabbix:1.8:*:*:*:*:*:*:*
OR
cpe:/a:zabbix:zabbix:1.8.1:*:*:*:*:*:*:*
OR
cpe:/a:zabbix:zabbix:1.8.2:*:*:*:*:*:*:*
OR
cpe:/a:zabbix:zabbix:1.8.3:rc1:*:*:*:*:*:*
OR
cpe:/a:zabbix:zabbix:1.8.3:rc2:*:*:*:*:*:*
OR
cpe:/a:zabbix:zabbix:1.8.3:rc3:*:*:*:*:*:*
OR
cpe:/a:zabbix:zabbix:*:rc1:*:*:*:*:*:*
(Version <= 1.8.15)
OR
cpe:/a:zabbix:zabbix:2.0.0:*:*:*:*:*:*:*
OR
cpe:/a:zabbix:zabbix:2.0.0:rc1:*:*:*:*:*:*
OR
cpe:/a:zabbix:zabbix:2.0.0:rc2:*:*:*:*:*:*
OR
cpe:/a:zabbix:zabbix:2.0.0:rc3:*:*:*:*:*:*
OR
cpe:/a:zabbix:zabbix:2.0.0:rc4:*:*:*:*:*:*
OR
cpe:/a:zabbix:zabbix:2.0.0:rc5:*:*:*:*:*:*
OR
cpe:/a:zabbix:zabbix:2.0.0:rc6:*:*:*:*:*:*
OR
cpe:/a:zabbix:zabbix:2.0.1:*:*:*:*:*:*:*
OR
cpe:/a:zabbix:zabbix:2.0.1:rc1:*:*:*:*:*:*
OR
cpe:/a:zabbix:zabbix:2.0.1:rc2:*:*:*:*:*:*
Configuration CCN 1
:
cpe:/a:zabbix:zabbix:2.0.1:*:*:*:*:*:*:*
Denotes that component is vulnerable
Oval Definitions
Definition ID
Class
Title
Last Modified
oval:org.mitre.oval:def:20152
P
DSA-2539-1 zabbix - SQL injection
2014-06-23
oval:com.ubuntu.precise:def:20123435000
V
CVE-2012-3435 on Ubuntu 12.04 LTS (precise) - medium.
2012-08-15
oval:com.ubuntu.xenial:def:201234350000000
V
CVE-2012-3435 on Ubuntu 16.04 LTS (xenial) - medium.
2012-08-15
oval:com.ubuntu.trusty:def:20123435000
V
CVE-2012-3435 on Ubuntu 14.04 LTS (trusty) - medium.
2012-08-15
oval:com.ubuntu.xenial:def:20123435000
V
CVE-2012-3435 on Ubuntu 16.04 LTS (xenial) - medium.
2012-08-15
BACK
zabbix
zabbix 1.1
zabbix
zabbix 1.1 beta10
zabbix
zabbix 1.1 beta11
zabbix
zabbix 1.1 beta12
zabbix
zabbix 1.1 beta2
zabbix
zabbix 1.1 beta3
zabbix
zabbix 1.1 beta4
zabbix
zabbix 1.1 beta5
zabbix
zabbix 1.1 beta6
zabbix
zabbix 1.1 beta7
zabbix
zabbix 1.1 beta8
zabbix
zabbix 1.1 beta9
zabbix
zabbix 1.1.1
zabbix
zabbix 1.1.2
zabbix
zabbix 1.1.3
zabbix
zabbix 1.1.4
zabbix
zabbix 1.1.5
zabbix
zabbix 1.1.6
zabbix
zabbix 1.1.7
zabbix
zabbix 1.3 beta
zabbix
zabbix 1.3.1 beta
zabbix
zabbix 1.3.2 beta
zabbix
zabbix 1.3.3 beta
zabbix
zabbix 1.3.4 beta
zabbix
zabbix 1.3.5 beta
zabbix
zabbix 1.3.6 beta
zabbix
zabbix 1.3.7 beta
zabbix
zabbix 1.3.8 beta
zabbix
zabbix 1.4.2
zabbix
zabbix 1.4.3
zabbix
zabbix 1.4.4
zabbix
zabbix 1.4.5
zabbix
zabbix 1.4.6
zabbix
zabbix 1.5 beta
zabbix
zabbix 1.5.1 beta
zabbix
zabbix 1.5.2 beta
zabbix
zabbix 1.5.3 beta
zabbix
zabbix 1.5.4 beta
zabbix
zabbix 1.6
zabbix
zabbix 1.6.1
zabbix
zabbix 1.6.2
zabbix
zabbix 1.6.3
zabbix
zabbix 1.6.4
zabbix
zabbix 1.6.5
zabbix
zabbix 1.6.6
zabbix
zabbix 1.6.7
zabbix
zabbix 1.6.8
zabbix
zabbix 1.6.9
zabbix
zabbix 1.7
zabbix
zabbix 1.7.1
zabbix
zabbix 1.7.2
zabbix
zabbix 1.7.3
zabbix
zabbix 1.7.4
zabbix
zabbix 1.8
zabbix
zabbix 1.8.1
zabbix
zabbix 1.8.2
zabbix
zabbix 1.8.3 rc1
zabbix
zabbix 1.8.3 rc2
zabbix
zabbix 1.8.3 rc3
zabbix
zabbix * rc1
zabbix
zabbix 2.0.0
zabbix
zabbix 2.0.0 rc1
zabbix
zabbix 2.0.0 rc2
zabbix
zabbix 2.0.0 rc3
zabbix
zabbix 2.0.0 rc4
zabbix
zabbix 2.0.0 rc5
zabbix
zabbix 2.0.0 rc6
zabbix
zabbix 2.0.1
zabbix
zabbix 2.0.1 rc1
zabbix
zabbix 2.0.1 rc2
zabbix
zabbix 2.0.1
Denotes that component is vulnerable