CVE-2024-42330

CRITICAL severity · CVSS 9.1 · CWE-134

9.1CVSS CRITICAL

Summary

The HttpRequest object allows to get the HTTP headers from the server's response after sending the request. The problem is that the returned strings are created directly from the data returned by the server and are not correctly encoded for JavaScript. This allows to create internal strings that can be used to access hidden properties of objects.

Impact & exploitability

Attack vectorNetwork

Attack complexityLow

Privileges requiredHigh

User interactionNone

Confidentiality impactHigh

Integrity impactHigh

Availability impactHigh

Exploit probability (EPSS)0%

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

Affected products we track (1)

Zabbix

Recommendation

Apply the vendor fix promptly. Open any affected product above for its exact safe version.

Additional information

NVD record
https://support.zabbix.com/browse/ZBX-25626Advisory
https://lists.debian.org/debian-lts-announce/2024/12/msg00005.html