CVE-2021-27927

Published: Mar 3, 2021Modified: Jun 17, 2026

8.8

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Exploitability: 2.8 / Impact: 5.9

Source: NVD

Description

In Zabbix from 4.0.x before 4.0.28rc1, 5.0.0alpha1 before 5.0.10rc1, 5.2.x before 5.2.6rc1, and 5.4.0alpha1 before 5.4.0beta2, the CControllerAuthenticationUpdate controller lacks a CSRF protection mechanism. The code inside this controller calls diableSIDValidation inside the init() method. An attacker doesn't have to know Zabbix user login credentials, but has to know the correct Zabbix URL and contact information of an existing user with sufficient privileges.

Affected (3)

Products: Zabbix: Zabbix

1 product

Configuration A

3 vulnerable

Vulnerable Software	Affected Versions
Zabbix Zabbix	From 4.0.0 to 4.0.27
Zabbix Zabbix	From 5.0.0 to 5.0.9
Zabbix Zabbix	From 5.2.0 to 5.2.3

Related CWEs

Cross-Site Request Forgery (CSRF)

The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.

References (4)

https://lists.debian.org/debian-lts-announce/2023/04/msg00013.html

Source: cve@mitre.org

https://support.zabbix.com/browse/ZBX-18942

Source: cve@mitre.org

Issue TrackingPatchVendor Advisory

https://lists.debian.org/debian-lts-announce/2023/04/msg00013.html

Source: af854a3a-2127-422b-91ae-364da2661108

https://support.zabbix.com/browse/ZBX-18942

Source: af854a3a-2127-422b-91ae-364da2661108

Issue TrackingPatchVendor Advisory

Timeline

No history available yet.