CVE-2019-17382

CRITICAL severity · CVSS 9.1 · Authorization bypass

9.1CVSS CRITICAL

Summary

An issue was discovered in zabbix.php?action=dashboard.view&dashboardid=1 in Zabbix through 4.4. An attacker can bypass the login page and access the dashboard page, and then create a Dashboard, Report, Screen, or Map without any Username/Password (i.e., anonymously). All created elements (Dashboard/Report/Screen/Map) are accessible by other users and by an admin.

Impact & exploitability

Attack vectorNetwork

Attack complexityLow

Privileges requiredNone

User interactionNone

Confidentiality impactHigh

Integrity impactHigh

Availability impactNone

Exploit probability (EPSS)94%

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Affected products we track (1)

Zabbix

Recommendation

Apply the vendor fix promptly. Open any affected product above for its exact safe version.

Additional information

NVD record
https://lists.debian.org/debian-lts-announce/2023/08/msg00027.html
https://lists.debian.org/debian-lts-announce/2023/08/msg00027.html
https://www.exploit-db.com/exploits/47467Advisory
https://www.exploit-db.com/exploits/47467Advisory