Admin Access vulnerability through ForgedCookies
CVE-2024-36466

8.8HIGH

Key Information:

Vendor: Zabbix
Status: Zabbix
Vendor: CVE Published:; 28 November 2024

What is CVE-2024-36466?

A vulnerability exists in Zabbix that enables an attacker to craft and sign a forged zbx_session cookie. By exploiting this flaw, the attacker can gain unauthorized access with admin permissions, compromising the integrity and security of the entire system. This issue underscores the importance of robust session management and validation processes to prevent unauthorized actions within the Zabbix platform.

Affected Version(s)

Zabbix 6.0.0 <= 6.0.31

Zabbix 6.4.0 <= 6.4.16

Zabbix 7.0.0

References

https://support.zabbix.com/browse/ZBX-25635

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Nov 28, 2024
Vulnerability Reserved
May 28, 2024

Credit

Zabbix wants to thank Márk Rákóczi (reeeeeeeeeeee) for submitting this report on the HackerOne bug bounty platform.