Headline
CVE-2021-27927: [ZBX-18942] CControllerAuthenticationUpdate controller is not protected by a CSRF token (CVE-2021-27927)
In Zabbix from 4.0.x before 4.0.28rc1, 5.0.0alpha1 before 5.0.10rc1, 5.2.x before 5.2.6rc1, and 5.4.0alpha1 before 5.4.0beta2, the CControllerAuthenticationUpdate controller lacks a CSRF protection mechanism. The code inside this controller calls diableSIDValidation inside the init() method. An attacker doesn’t have to know Zabbix user login credentials, but has to know the correct Zabbix URL and contact information of an existing user with sufficient privileges.
Details
**Type: ** Defect (Security)
Status: Closed
**Priority: ** Major
Resolution: Fixed
Affects Version/s: None
Sprint:
Sprint 72 (Jan 2021)
Description
The code inside this controller calls diableSIDValidation inside the init() method.
Attachments
Issue Links
caused by
depends on
ZBX-19150 Review all controller actions for SID validation (CVE-2021-27927)
- Closed
Activity
People
Votes:
0 Vote for this issue
Watchers:
7 Start watching this issue
Dates
Created:
2021 Jan 04 09:54
Updated:
2022 Jan 24 10:28
Resolved:
2021 Jan 31 18:40