CVE-2014-9450

NameCVE-2014-9450
DescriptionMultiple SQL injection vulnerabilities in chart_bar.php in the frontend in Zabbix before 1.8.22, 2.0.x before 2.0.14, and 2.2.x before 2.2.8 allow remote attackers to execute arbitrary SQL commands via the (1) itemid or (2) periods parameter.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
NVD severityhigh (attack range: remote)
Debian Bugs774750

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
zabbix (PTS)jessie1:2.2.7+dfsg-2+deb8u3fixed
jessie (security)1:2.2.23+dfsg-0+deb8u1fixed
stretch1:3.0.7+dfsg-3fixed
buster, bullseye, sid1:4.0.4+dfsg-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
zabbixsource(unstable)1:2.2.7+dfsg-2high774750
zabbixsourcesqueeze(unfixed)end-of-life

Notes

[squeeze] - zabbix <end-of-life> (Unsupported in squeeze-lts)
https://support.zabbix.com/browse/ZBX-8582
https://github.com/svn2github/zabbix/commit/984bd3bec2d6ca5a80104a5574d19b7f4d04f24b

Search for package or bug name: Reporting problems