Zabbix API user.get Exposes Sensitive User Data
CVE-2024-42325 Published on April 2, 2025
Excessive information returned by user.get
Zabbix API user.get returns all users that share common group with the calling user. This includes media and other information, such as login attempts, etc.
Weakness Type
What is a Privacy violation Vulnerability?
The product does not properly prevent a person's private, personal information from being accessed by actors who either (1) are not explicitly authorized to access the information or (2) do not have the implicit consent of the person about whom the information is collected.
CVE-2024-42325 has been classified to as a Privacy violation vulnerability or weakness.
Products Associated with CVE-2024-42325
Want to know whenever a new CVE is published for Zabbix? stack.watch will email you.
Affected Versions
Zabbix:- Version 5.0.0, <= 5.0.45 is affected.
- Version 6.0.0, <= 6.0.37 is affected.
- Version 7.0.0, <= 7.0.8 is affected.
- Version 7.2.0, <= 7.2.2 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.