Zabbix disclosed a critical SQL injection vulnerability (CVE-2024-42327) in the CUser.get function in their open-source network monitoring tool. The vulnerability could be exploited by anyone with “a non-admin user account on the Zabbix frontend with the default User role, or with any other role that gives API access.” The vulnerability affects Zabbix versions 6.0.0 – 6.0.31, 6.4.0 – 6.4.16, and 7.0.0. Users are urged to upgrade to versions 6.0.32rc1, 6.4.17rc1, and 7.0.1rc1. Ref https://www.theregister.com/2024/11/29/zabbix_urges_upgrades_after_critical/
