CVE-2014-9450

NameCVE-2014-9450
DescriptionMultiple SQL injection vulnerabilities in chart_bar.php in the frontend in Zabbix before 1.8.22, 2.0.x before 2.0.14, and 2.2.x before 2.2.8 allow remote attackers to execute arbitrary SQL commands via the (1) itemid or (2) periods parameter.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs774750

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
zabbix (PTS)bullseye1:5.0.8+dfsg-1fixed
bullseye (security)1:5.0.46+dfsg-1+deb11u1fixed
bookworm1:6.0.14+dfsg-1fixed
forky, sid, trixie1:7.0.10+dfsg-2fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
zabbixsourcesqueeze(unfixed)end-of-life
zabbixsource(unstable)1:2.2.7+dfsg-2774750

Notes

[squeeze] - zabbix <end-of-life> (Unsupported in squeeze-lts)
https://support.zabbix.com/browse/ZBX-8582
https://github.com/svn2github/zabbix/commit/984bd3bec2d6ca5a80104a5574d19b7f4d04f24b
Search for package or bug name: Reporting problems