CVE-2014-9450

NameCVE-2014-9450
DescriptionMultiple SQL injection vulnerabilities in chart_bar.php in the frontend in Zabbix before 1.8.22, 2.0.x before 2.0.14, and 2.2.x before 2.2.8 allow remote attackers to execute arbitrary SQL commands via the (1) itemid or (2) periods parameter.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
NVD severityhigh
Debian Bugs774750

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
zabbix (PTS)stretch1:3.0.7+dfsg-3fixed
stretch (security)1:3.0.32+dfsg-0+deb9u1fixed
buster1:4.0.4+dfsg-1fixed
bullseye1:5.0.8+dfsg-1fixed
bookworm, sid1:5.0.14+dfsg-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
zabbixsourcesqueeze(unfixed)end-of-life
zabbixsource(unstable)1:2.2.7+dfsg-2774750

Notes

[squeeze] - zabbix <end-of-life> (Unsupported in squeeze-lts)
https://support.zabbix.com/browse/ZBX-8582
https://github.com/svn2github/zabbix/commit/984bd3bec2d6ca5a80104a5574d19b7f4d04f24b

Search for package or bug name: Reporting problems