CVE-2024-36463 - Vulnerability Details - OpenCVE

The implementation of atob in "Zabbix JS" allows to create a string with arbitrary content and use it to access internal properties of objects.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable no

Technical Impact partial

Vendors	Products
Zabbix	Zabbix

Configuration 1 [-]

OR	cpe:2.3:a:zabbix:zabbix::::::::
	cpe:2.3:a:zabbix:zabbix::::::::
	cpe:2.3:a:zabbix:zabbix::::::::
	cpe:2.3:a:zabbix:zabbix::::::::

No data.

References

Link	Providers
https://support.zabbix.com/browse/ZBX-25611

History

Wed, 08 Oct 2025 16:15:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:2.3:a:zabbix:zabbix::::::::

Tue, 26 Nov 2024 17:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Tue, 26 Nov 2024 15:15:00 +0000

Type	Values Removed	Values Added
Description		The implementation of atob in "Zabbix JS" allows to create a string with arbitrary content and use it to access internal properties of objects.
Weaknesses		CWE-767
References		https://support.zabbix.com/browse/ZBX-25611
Metrics		cvssV3_1 `{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}`

MITRE

Status: PUBLISHED

Assigner: Zabbix

Published: 2024-11-26T15:06:14.217Z

Updated: 2024-11-26T16:21:54.142Z

Reserved: 2024-05-28T11:21:24.946Z

Link: CVE-2024-36463

Vulnrichment

Updated: 2024-11-26T16:21:43.768Z

NVD

Status : Analyzed

Published: 2024-11-26T15:15:31.827

Modified: 2025-10-08T16:03:31.983

Link: CVE-2024-36463

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-36463", "assignerOrgId": "72de3e22-0555-4a0d-ae81-9249e0f0a1e8", "state": "PUBLISHED", "assignerShortName": "Zabbix", "dateReserved": "2024-05-28T11:21:24.946Z", "datePublished": "2024-11-26T15:06:14.217Z", "dateUpdated": "2024-11-26T16:21:54.142Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "modules": ["Proxy", "Server"], "product": "Zabbix", "repo": "https://git.zabbix.com/", "vendor": "Zabbix", "versions": [{"changes": [{"at": "5.0.43rc1", "status": "unaffected"}], "lessThanOrEqual": "5.0.42", "status": "affected", "version": "5.0.0", "versionType": "git"}, {"changes": [{"at": "6.0.33rc1", "status": "unaffected"}], "lessThanOrEqual": "6.0.32", "status": "affected", "version": "6.0.0", "versionType": "git"}, {"changes": [{"at": "6.4.18rc1", "status": "unaffected"}], "lessThanOrEqual": "6.4.17", "status": "affected", "version": "6.4.0", "versionType": "git"}, {"changes": [{"at": "7.0.3rc1", "status": "unaffected"}], "lessThanOrEqual": "7.0.2", "status": "affected", "version": "7.0.0", "versionType": "git"}]}], "credits": [{"lang": "en", "type": "reporter", "value": "Zabbix wants to thank zhutyra for submitting this report on the HackerOne bug bounty platform."}], "datePublic": "2024-09-05T07:45:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "The implementation of atob in \"Zabbix JS\" allows to create a string with arbitrary content and use it to access internal properties of objects."}], "value": "The implementation of atob in \"Zabbix JS\" allows to create a string with arbitrary content and use it to access internal properties of objects."}], "impacts": [{"capecId": "CAPEC-253", "descriptions": [{"lang": "en", "value": "CAPEC-253 Remote Code Inclusion"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-767", "description": "CWE-767 Access to Critical Private Variable via Public Method", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "72de3e22-0555-4a0d-ae81-9249e0f0a1e8", "shortName": "Zabbix", "dateUpdated": "2024-11-26T15:06:14.217Z"}, "references": [{"url": "https://support.zabbix.com/browse/ZBX-25611"}], "source": {"discovery": "EXTERNAL"}, "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-11-26T16:21:34.528363Z", "id": "CVE-2024-36463", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-11-26T16:21:54.142Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-36463", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-11-26T16:21:34.528363Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-11-26T16:21:43.768Z"}}], "cna": {"source": {"discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "reporter", "value": "Zabbix wants to thank zhutyra for submitting this report on the HackerOne bug bounty platform."}], "impacts": [{"capecId": "CAPEC-253", "descriptions": [{"lang": "en", "value": "CAPEC-253 Remote Code Inclusion"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"repo": "https://git.zabbix.com/", "vendor": "Zabbix", "modules": ["Proxy", "Server"], "product": "Zabbix", "versions": [{"status": "affected", "changes": [{"at": "5.0.43rc1", "status": "unaffected"}], "version": "5.0.0", "versionType": "git", "lessThanOrEqual": "5.0.42"}, {"status": "affected", "changes": [{"at": "6.0.33rc1", "status": "unaffected"}], "version": "6.0.0", "versionType": "git", "lessThanOrEqual": "6.0.32"}, {"status": "affected", "changes": [{"at": "6.4.18rc1", "status": "unaffected"}], "version": "6.4.0", "versionType": "git", "lessThanOrEqual": "6.4.17"}, {"status": "affected", "changes": [{"at": "7.0.3rc1", "status": "unaffected"}], "version": "7.0.0", "versionType": "git", "lessThanOrEqual": "7.0.2"}], "defaultStatus": "unaffected"}], "datePublic": "2024-09-05T07:45:00.000Z", "references": [{"url": "https://support.zabbix.com/browse/ZBX-25611"}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "The implementation of atob in \"Zabbix JS\" allows to create a string with arbitrary content and use it to access internal properties of objects.", "supportingMedia": [{"type": "text/html", "value": "The implementation of atob in \"Zabbix JS\" allows to create a string with arbitrary content and use it to access internal properties of objects.", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-767", "description": "CWE-767 Access to Critical Private Variable via Public Method"}]}], "providerMetadata": {"orgId": "72de3e22-0555-4a0d-ae81-9249e0f0a1e8", "shortName": "Zabbix", "dateUpdated": "2024-11-26T15:06:14.217Z"}}}, "cveMetadata": {"cveId": "CVE-2024-36463", "state": "PUBLISHED", "dateUpdated": "2024-11-26T16:21:54.142Z", "dateReserved": "2024-05-28T11:21:24.946Z", "assignerOrgId": "72de3e22-0555-4a0d-ae81-9249e0f0a1e8", "datePublished": "2024-11-26T15:06:14.217Z", "assignerShortName": "Zabbix"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:zabbix:zabbix:*:*:*:*:*:*:*:*", "matchCriteriaId": "8FD388E0-B624-4CDF-A5E7-A892BAA8AF82", "versionEndExcluding": "5.0.43", "versionStartIncluding": "5.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:zabbix:zabbix:*:*:*:*:*:*:*:*", "matchCriteriaId": "BBDE7D5E-7B41-41A4-948D-6165DE3ACC43", "versionEndExcluding": "6.0.33", "versionStartIncluding": "6.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:zabbix:zabbix:*:*:*:*:*:*:*:*", "matchCriteriaId": "509FD9C1-CCCD-472B-A4BC-B422133F704E", "versionEndExcluding": "6.4.18", "versionStartIncluding": "6.4.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:zabbix:zabbix:*:*:*:*:*:*:*:*", "matchCriteriaId": "C1F679BD-7DB5-4B97-8644-C7240727CBF9", "versionEndExcluding": "7.0.3", "versionStartIncluding": "7.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The implementation of atob in \"Zabbix JS\" allows to create a string with arbitrary content and use it to access internal properties of objects."}, {"lang": "es", "value": "La implementaci\u00f3n de atob en \"Zabbix JS\" permite crear una cadena con contenido arbitrario y usarla para acceder a las propiedades internas de los objetos."}], "id": "CVE-2024-36463", "lastModified": "2025-10-08T16:03:31.983", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "security@zabbix.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2024-11-26T15:15:31.827", "references": [{"source": "security@zabbix.com", "tags": ["Vendor Advisory"], "url": "https://support.zabbix.com/browse/ZBX-25611"}], "sourceIdentifier": "security@zabbix.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-767"}], "source": "security@zabbix.com", "type": "Secondary"}]}