Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2021-27927: [ZBX-18942] CControllerAuthenticationUpdate controller is not protected by a CSRF token (CVE-2021-27927)

In Zabbix from 4.0.x before 4.0.28rc1, 5.0.0alpha1 before 5.0.10rc1, 5.2.x before 5.2.6rc1, and 5.4.0alpha1 before 5.4.0beta2, the CControllerAuthenticationUpdate controller lacks a CSRF protection mechanism. The code inside this controller calls diableSIDValidation inside the init() method. An attacker doesn’t have to know Zabbix user login credentials, but has to know the correct Zabbix URL and contact information of an existing user with sufficient privileges.

CVE
#csrf#vulnerability#auth

Details

  • **Type: ** Defect (Security)

  • Status: Closed

  • **Priority: ** Major

  • Resolution: Fixed

  • Affects Version/s: None

  • Sprint:

    Sprint 72 (Jan 2021)

Description

The code inside this controller calls diableSIDValidation inside the init() method.

Attachments

Issue Links

caused by

depends on

Defect (Security) - Discovered security vulnerabilities in Zabbix ZBX-19150 Review all controller actions for SID validation (CVE-2021-27927)

  • Minor - Minor loss of function, or other problem where easy workaround is present.
  • Closed

Activity

People

Votes:

0 Vote for this issue

Watchers:

7 Start watching this issue

Dates

Created:

2021 Jan 04 09:54

Updated:

2022 Jan 24 10:28

Resolved:

2021 Jan 31 18:40

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907