CVE-2019-17382

Name of the Vulnerable Software and Affected Versions Zabbix versions prior to 4.4

Description An issue was discovered in "zabbix.php?action=dashboard.view&dashboardid=1" that allows an attacker to bypass the login page and access the dashboard page anonymously. The attacker can then create a Dashboard, Report, Screen, or Map without any username/password. All created elements are accessible by other users and by an admin. The vulnerability is related to bypassing authorization using a user-controlled key, which can allow a remote attacker to access the dashboard page and create elements.

Recommendations For Zabbix versions prior to 4.4, consider disabling access to the "zabbix.php?action=dashboard.view&dashboardid=1" endpoint until a patch is available. Restrict access to the dashboard page to minimize the risk of exploitation. Avoid using the dashboardid parameter in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.