SecuritySpace - CVE-2021-27927

Vulnerability Search		Search 324607 CVE descriptions and 146377 test descriptions, access 10,000+ cross references.
	Tests CVE All

CVE ID: CVE-2021-27927

Description: In Zabbix from 4.0.x before 4.0.28rc1, 5.0.0alpha1 before 5.0.10rc1, 5.2.x before 5.2.6rc1, and 5.4.0alpha1 before 5.4.0beta2, the CControllerAuthenticationUpdate controller lacks a CSRF protection mechanism. The code inside this controller calls diableSIDValidation inside the init() method. An attacker doesn't have to know Zabbix user login credentials, but has to know the correct Zabbix URL and contact information of an existing user with sufficient privileges.

Test IDs: 1.3.6.1.4.1.25623.1.1.1.2.2023.3390

Cross References: Common Vulnerability Exposure (CVE) ID: CVE-2021-27927
https://support.zabbix.com/browse/ZBX-18942
https://lists.debian.org/debian-lts-announce/2023/04/msg00013.html

CVE ID:	CVE-2021-27927
Description:	In Zabbix from 4.0.x before 4.0.28rc1, 5.0.0alpha1 before 5.0.10rc1, 5.2.x before 5.2.6rc1, and 5.4.0alpha1 before 5.4.0beta2, the CControllerAuthenticationUpdate controller lacks a CSRF protection mechanism. The code inside this controller calls diableSIDValidation inside the init() method. An attacker doesn't have to know Zabbix user login credentials, but has to know the correct Zabbix URL and contact information of an existing user with sufficient privileges.
Test IDs:	1.3.6.1.4.1.25623.1.1.1.2.2023.3390
Cross References:	Common Vulnerability Exposure (CVE) ID: CVE-2021-27927 https://support.zabbix.com/browse/ZBX-18942 https://lists.debian.org/debian-lts-announce/2023/04/msg00013.html