| Mitre ID |
CVE-2024-22117 |
| CVSS score |
2.2 |
| CVSS vector |
https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:L |
| Severity |
Low |
| Summary |
Value of sysmap_element_url can be de-synchronized causing the map element to crash when new URLs is added |
| Description |
When a URL is added to the map element, it is recorded in the database with sequential IDs. Upon adding a new URL, the system retrieves the last sysmapelementurlid value and increments it by one. However, an issue arises when a user manually changes the sysmapelementurlid value by adding sysmapelementurlid + 1. This action prevents others from adding URLs to the map element. |
| Common Weakness Enumeration (CWE) |
CWE-20 Improper Input Validation |
| Common Attack Pattern Enumeration and Classification (CAPEC) |
CAPEC-207 Removing Important Client Functionality |
| Known attack vectors |
Consequently, after conducted manipulations of sysmap_element_url, no one else will be able to add URLs to the map element. |
| Details |
- |
| Patch provided |
No |
| Component/s |
Frontend, API |
| Affected and fixed version/s |
5,0,0 - 5.0.43 / 5.0.44rc1
6.0.0 - 6.0.33 / 6.0.34rc1
6.4.0 - 6.4.18 / 6.4.19rc1
7.0.0 - 7.0.3 / 7.0.4rc1 |
| Fix compatibility tests |
- |
| Resolution |
Fixed |
| Workarounds |
- |
| Acknowledgements |
Zabbix wants to thank prasetia (prasetia) for submitting this report on the HackerOne bug bounty platform. |