CVE-2019-15132

Name of the Vulnerable Software and Affected Versions Zabbix versions through 4.4.0alpha1

Description The issue allows for user enumeration based on the variability of server responses to login requests. This can be achieved through the "Login name or password is incorrect" and "No permissions for system access" messages, or by the server blocking for a number of seconds. Both api jsonrpc.php and index.php are affected. The vulnerability can be exploited by sending specially crafted requests, potentially allowing a remote attacker to gain unauthorized access to protected information.

Recommendations For Zabbix versions through 4.4.0alpha1, consider restricting access to api jsonrpc.php and index.php to minimize the risk of exploitation until a patch is available. As a temporary workaround, modifying the server response to be consistent for all login attempts could help mitigate the issue. At the moment, there is no information about a newer version that contains a fix for this vulnerability.