CVE-2021-27927

Published: Mar 3, 2021

Modified: Aug 3, 2024

PUBLISHED

Description

In Zabbix from 4.0.x before 4.0.28rc1, 5.0.0alpha1 before 5.0.10rc1, 5.2.x before 5.2.6rc1, and 5.4.0alpha1 before 5.4.0beta2, the CControllerAuthenticationUpdate controller lacks a CSRF protection mechanism. The code inside this controller calls diableSIDValidation inside the init() method. An attacker doesn't have to know Zabbix user login credentials, but has to know the correct Zabbix URL and contact information of an existing user with sufficient privileges.

Vendor	Product	Versions
n/a	n/a	affected `n/a`

References

https://support.zabbix.com/browse/ZBX-18942

[debian-lts-announce] 20230412 [SECURITY] [DLA 3390-1] zabbix security update

mailing-list

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2021-27927

Description

Affected Products

References