libs/zbxmedia/eztexting.c in Zabbix 1.8.x before 1.8.18rc1, 2.0.x before 2.0.8rc1, and 2.1.x before 2.1.2 does not properly set the CURLOPT_SSL_VERIFYHOST option for libcurl, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Zabbix | Zabbix | 1.8.1 (including) | 1.8.1 (including) |
| Zabbix | Zabbix | 1.8.10-rc1 (including) | 1.8.10-rc1 (including) |
| Zabbix | Zabbix | 1.8.10-rc2 (including) | 1.8.10-rc2 (including) |
| Zabbix | Zabbix | 1.8.15-rc1 (including) | 1.8.15-rc1 (including) |
| Zabbix | Zabbix | 1.8.16 (including) | 1.8.16 (including) |
| Zabbix | Zabbix | 2.0.0 (including) | 2.0.0 (including) |
| Zabbix | Zabbix | 2.0.0-rc1 (including) | 2.0.0-rc1 (including) |
| Zabbix | Zabbix | 2.0.0-rc2 (including) | 2.0.0-rc2 (including) |
| Zabbix | Zabbix | 2.0.0-rc3 (including) | 2.0.0-rc3 (including) |
| Zabbix | Zabbix | 2.0.0-rc4 (including) | 2.0.0-rc4 (including) |
| Zabbix | Zabbix | 2.0.0-rc5 (including) | 2.0.0-rc5 (including) |
| Zabbix | Zabbix | 2.0.0-rc6 (including) | 2.0.0-rc6 (including) |
| Zabbix | Zabbix | 2.0.1 (including) | 2.0.1 (including) |
| Zabbix | Zabbix | 2.0.1-rc1 (including) | 2.0.1-rc1 (including) |
| Zabbix | Zabbix | 2.0.1-rc2 (including) | 2.0.1-rc2 (including) |
| Zabbix | Zabbix | 2.0.2 (including) | 2.0.2 (including) |
| Zabbix | Zabbix | 2.0.3 (including) | 2.0.3 (including) |
| Zabbix | Zabbix | 2.0.4 (including) | 2.0.4 (including) |
| Zabbix | Zabbix | 2.0.5 (including) | 2.0.5 (including) |
| Zabbix | Zabbix | 2.0.6 (including) | 2.0.6 (including) |
| Zabbix | Zabbix | 2.1.0 (including) | 2.1.0 (including) |
| Zabbix | Zabbix | 2.1.1 (including) | 2.1.1 (including) |