Public Security Advisories
Coordinated vulnerability disclosures from Argus. Findings, impact, and remediation, published in good faith.
sppp_pap_input uses attacker-controlled length fields directly as bcmp comparison length, allowing zero-length authentication bypass.
The report.test trapper endpoint allows an authenticated low-privilege user to supply an arbitrary userid in the request body. The server creates a real session for that user, renders their dashboard as a PDF, and emails it to the attacker — with no check that the requested viewer identity matches the authenticated caller.
Zabbix server takes access_token and refresh_token values directly from an external OAuth server's HTTP response and interpolates them into a SQL UPDATE with no escaping. Stacked queries are enabled, giving an attacker who controls the token endpoint arbitrary SQL execution against the Zabbix database.
SSH connection reuse matching in libcurl does not verify SSH authentication context.
Zabbix MFA enforcement is bypassed when logging in via HTTP Basic Auth or SAML SSO paths, which create fully active sessions without triggering the MFA challenge.
An unchecked copy length derived from parsed network input causes a stack out-of-bounds write in the wlscan ASP handler.
A non-atomic stat/unlink/fopen sequence on a fixed path in /var/tmp is exploitable via symlink substitution.
Error sentinel values from web_read are propagated as unsigned size arguments to f_write, enabling oversized memory operations.
Attacker-controlled filename input reaches fopen and unlink calls without canonicalization or directory confinement.
User-controlled CGI parameters and request-derived buffers are embedded into shell command strings and executed without sanitization.
A hardcoded default admin password literal is embedded in the binary and used in authentication comparisons.
Captive portal credentials are written to syslog in plaintext on authentication failure.