CVE-2024-42330: 
Zabbix Server vulnerability analysis and mitigation

A critical vulnerability (CVE-2024-42330) has been identified in Zabbix, a popular open-source monitoring tool. The vulnerability affects multiple versions of Zabbix including versions 6.0.0 through 6.0.33, 6.4.0 through 6.4.18, and 7.0.0 through 7.0.3. The issue was discovered by security researcher 'zhutyra' through the HackerOne bug bounty platform and has been assigned a critical CVSS score of 9.1 (SecurityOnline).

The vulnerability stems from improper encoding of HTTP headers in the HttpRequest object. Specifically, the returned strings are created directly from the data returned by the server without proper JavaScript encoding. This implementation flaw allows attackers to create internal strings that can be used to access hidden properties of objects. The vulnerability has been classified under CWE-134 (Use of Externally-Controlled Format String) (NVD, Zabbix Support).

The vulnerability has been rated as Critical with a CVSS v3.1 score of 9.1 (AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H). This high severity rating indicates that successful exploitation could lead to significant compromise of the affected systems, potentially allowing attackers to execute arbitrary code on vulnerable systems (SecurityOnline).

Zabbix has released patched versions to address this vulnerability: 6.0.34rc1, 6.4.19rc1, and 7.0.4rc1. Organizations using affected versions are strongly urged to update to these latest releases immediately to mitigate the security risk (ASEC).