Note:
This project will be discontinued after December 13, 2021. [more]
2019-10-09
An issue was discovered in zabbix.php?action=dashboard.view&dashboardid=1 in Zabbix through 4.4. An attacker can bypass the login page and access the dashboard page, and then create a Dashboard, Report, Screen, or Map without any Username/Password (i.e., anonymously). All created elements (Dashboard/Report/Screen/Map) are accessible by other users and by an admin.
Products | Zabbix |
Type | Authorization Bypass Through User-Controlled Key (CWE-639) |
First patch | - None (likely due to unavailable code) |
Links |
• https://lists.debian.org/debian-lts-announce/2023/08/msg00027.html
• https://www.exploit-db.com/exploits/47467 |