CVE-2024-42325: 
Zabbix Server vulnerability analysis and mitigation

A privacy vulnerability identified as CVE-2024-42325 was discovered in Zabbix API's user.get functionality. The vulnerability was reported on April 1, 2025, and affects multiple versions of Zabbix. The issue allows users to access sensitive information about other users who share common groups with the calling user (Zabbix Issue).

The vulnerability exists in the Zabbix API's user.get function, which improperly returns excessive user information including media details and login attempt history for all users sharing a common group with the calling user. The vulnerability has been assigned a CVSS v4.0 Base Score of 2.1 (LOW) with the vector string CVSS:4.0/AV:A/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N. It has been classified under CWE-359 (Exposure of Private Personal Information to an Unauthorized Actor) (NVD).

The vulnerability exposes sensitive user information including media details and login attempt history to other users within the same group. This unauthorized access to private information could potentially be used for reconnaissance or social engineering attacks (NVD).

Fixed versions have been released including 5.0.46rc1, 6.0.38rc1, 7.0.9rc1, 7.2.3rc1, and 7.4.0alpha1. Users are advised to upgrade to these versions or later to address the vulnerability (Zabbix Issue).