PT-2024-9179 · Zabbix+4 · Zabbix+4

Vjaceslavs Bogdanovs

Published

2024-05-28

Updated

2025-11-11

CVE-2024-36466

CVSS v2.0

9.0

High

Vector

AV:N/AC:L/Au:S/C:C/I:C/A:C

Name of the Vulnerable Software and Affected Versions: Zabbix (affected versions not specified)

Description: A bug in the code allows an attacker to sign a forged zbx session cookie, which then allows them to sign in with admin permissions. This issue is related to the authentication mechanism, specifically allowing attackers to bypass authentication via spoofing. Exploitation of this issue can enable a remote attacker to bypass existing security restrictions and elevate their privileges using a specially crafted signed zbx session cookie.

Recommendations: At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Authentication Bypass by Spoofing

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-290

Related Identifiers

ALT-PU-2024-16527

ALT-PU-2024-16638

BDU:2024-10866

CVE-2024-36466

Affected Products

Alt Linux

Astra Linux

Debian

Red Os

Zabbix

PT-2024-9179 · Zabbix+4 · Zabbix+4

CVE-2024-36466

Weakness Enumeration

Related Identifiers

Affected Products

References · 31