The zabbix/src/libs/zbxjson module is vulnerable to a buffer overflow when parsing JSON files via zbx_json_open.
Request to LDAP is sent before user permissions are checked.
Memory pointer is in a property of the Ducktape object. This leads to multiple vulnerabilities related to direct memory access and manipulation.
A stored XSS has been found in the Zabbix web application in the Maps element if a URL field is set with spaces before URL.
Specially crafted string can cause a buffer overrun in the JSON parser library leading to a crash of the Zabbix Server or a Zabbix Proxy.
Currently, geomap configuration (Administration -> General -> Geographical maps) allows using HTML in the field “Attribution text” when selected “Other” Tile provider.
Seems like Zabbix has just released a bunch of HackerOne CVEs, with a
weird mix of fix versions. Nevertheless, we seem to be all fixed for