Ad Widget

**coreychristian** · 29-01-2015, 18:01

To my knowledge there isn't a really good way to do this with zabbix and specific scanning tools tend to be a better way to go.

Granted you could likely have zabbix monitor the results of those scanning tools, but since vulnerabilities change month to month (sometimes more frequently) You would have to create a template and keep the items/triggers updated that are looking for specific vulnerabilities.

If there is a better option with zabbix would love to hear it though.

**dogasantos** · 29-01-2015, 18:06

Originally posted by coreychristian

To my knowledge there isn't a really good way to do this with zabbix and specific scanning tools tend to be a better way to go.

Granted you could likely have zabbix monitor the results of those scanning tools, but since vulnerabilities change month to month (sometimes more frequently) You would have to create a template and keep the items/triggers updated that are looking for specific vulnerabilities.

If there is a better option with zabbix would love to hear it though.

Sorry, i think I was not clear on my previous post.

I found a security vulnerability on zabbix source code, so I want to report zabbix devel team to fix that. But i can't find informations to how to do this. Just post it here it's not a good idea, i think.

**tchjts1** · 29-01-2015, 18:45

I will have a Zabbix staff member contact you.

**coreychristian** · 29-01-2015, 18:49

Originally posted by dogasantos

Sorry, i think I was not clear on my previous post.

I found a security vulnerability on zabbix source code, so I want to report zabbix devel team to fix that. But i can't find informations to how to do this. Just post it here it's not a good idea, i think.

Probably my lack of caffiene as well

If you have access, I believe you can report bugs and other software issues at the following link, not sure if you need a support contract though.

Log into Atlassian - ZABBIX SUPPORT

https://support.zabbix.com/browse/ZBX/

Or wait for the staff member to reach out to you

**richlv** · 29-01-2015, 19:18

Originally posted by dogasantos

Sorry, i think I was not clear on my previous post.

I found a security vulnerability on zabbix source code, so I want to report zabbix devel team to fix that. But i can't find informations to how to do this. Just post it here it's not a good idea, i think.

depending on how critical it is, you may choose to either report it in the public bugtracker (if it's minor) or send information in an encrypted email (if it's serious).

in the latter case, please send the details to [email protected] - you may find the public gpg key in the sks keyservers (see https://sks-keyservers.net/)

thank you for your interest in zabbix and looking forward to receiving the information on the security problem.

**dogasantos** · 29-01-2015, 20:03

Originally posted by richlv

depending on how critical it is, you may choose to either report it in the public bugtracker (if it's minor) or send information in an encrypted email (if it's serious).

in the latter case, please send the details to [email protected] - you may find the public gpg key in the sks keyservers (see https://sks-keyservers.net/)

thank you for your interest in zabbix and looking forward to receiving the information on the security problem.

Nice!
Thanks @coreychristian, @richlv, @tchjts1.
I'll use the bugtracker, it's a low risk vulnerability.
But i'll keep these contacts in mind!!!

**garry3800** · 25-05-2019, 04:09

Dear Sir:
we find a vulnerability by Acunetix,
Login page password-guessing attack(CWE-307) in /zabbix/index.php
will zabbix fix it?

Attached Files

**garry3800** · 25-07-2019, 09:28

Dear Sir:
We find a vulnerability by Acunetix,zabbix version is 4.2.
Vulnerable Javascript library(CWE-16) in /jsLoader.php
will zabbix fix it?

Attached Files

**vmurzins** · 26-07-2019, 13:22

Hello garry3800,

Thank you for sharing your security vulnerability findings with us.

About jQuery vulnerability: as Atsushi mentioned, we recently investigated it. None of currently known jQuery vulnerabilities can be used to compromise Zabbix security. See: https://support.zabbix.com/browse/ZBX-16069.
About password-guessing attack: We are blocking login attempts upon multiple incorrect password entries. As such, more information about the problem would be needed to understand the problem, you are mentioning. Can you, please, send it to [email protected].

Thank you.

**garry3800** · 06-05-2020, 11:18

Dear Sir:
We find a vulnerability,medium issue by Webinspect,zabbix version is 4.4.
Path Manipulation: Relative Path Overwrite ( 11392 ) View Description
CWE: 79
Kingdom: API Abuse
will zabbix fix it?

Attached Files

**garry3800** · 29-05-2020, 05:02

Dear Sir:
We find a vulnerability,High issue by Webinspect,zabbix version is 4.4.
Often Misused: File Upload ( 11503 )
CWE: 434
Kingdom: API Abuse
will zabbix fix it?

Attached Files

Ad Widget

How to report security vulnerabilities

How to report security vulnerabilities

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment