CVE-2021-27927 log

Source
Severity Medium
Remote Yes
Type Authentication bypass
Description
In Zabbix from 4.0.x before 4.0.28rc1, 5.0.0alpha1 before 5.0.10rc1, 5.2.x before 5.2.6rc1, and 5.4.0alpha1 before 5.4.0beta2, the CControllerAuthenticationUpdate controller lacks a CSRF protection mechanism. In Zabbix from 4.0.x before 4.0.28rc1, 5.0.0alpha1 before 5.0.10rc1, 5.2.x before 5.2.6rc1, and 5.4.0alpha1 before 5.4.0beta2, the CControllerModuleScan view lacks a CSRF protection mechanism. In both cases, the code calls diableSIDValidation inside the init() method. An attacker doesn't have to know Zabbix user login credentials, but has to know the correct Zabbix URL and contact information of an existing user with sufficient privileges.
Group Package Affected Fixed Severity Status Ticket
AVG-1771 zabbix-frontend-php 5.2.5-1 5.2.6-1 Medium Fixed
References
https://support.zabbix.com/browse/ZBX-18942
https://support.zabbix.com/browse/DEV-1794
https://git.zabbix.com/projects/ZBX/repos/zabbix/commits/d039aaea56a98486e3b02433d581b4140fbf6fea
https://support.zabbix.com/browse/ZBX-19150
https://support.zabbix.com/browse/DEV-1853
https://git.zabbix.com/projects/ZBX/repos/zabbix/commits/ee6a7de015922121ecf33b856c210e12e9aa84f2