CVE-2019-17382
published 2019-10-09CVE-2019-17382: An issue was discovered in zabbix.php?action=dashboard.view&dashboardid=1 in Zabbix through 4.4. An attacker can bypass the login page and access the dashboard…
PriorityP273critical9.1CVSS 3.1
AVNACLPRNUINSUCHIHAN
EXPLOIT
EPSS
54.15%
98.9th percentile
An issue was discovered in zabbix.php?action=dashboard.view&dashboardid=1 in Zabbix through 4.4. An attacker can bypass the login page and access the dashboard page, and then create a Dashboard, Report, Screen, or Map without any Username/Password (i.e., anonymously). All created elements (Dashboard/Report/Screen/Map) are accessible by other users and by an admin.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | zabbix | < zabbix 1:5.0.0+dfsg-1 (bookworm) | zabbix 1:5.0.0+dfsg-1 (bookworm) |
| zabbix | zabbix | <= 4.4 | — |
| zabbix | zabbix | >= 0 < 1:5.0.0+dfsg-1 | 1:5.0.0+dfsg-1 |
| zabbix | zabbix | >= 0 < 1:5.0.0+dfsg-1 | 1:5.0.0+dfsg-1 |
| zabbix | zabbix | >= 0 < 1:5.0.0+dfsg-1 | 1:5.0.0+dfsg-1 |
| zabbix | zabbix | >= 0 < 1:5.0.0+dfsg-1 | 1:5.0.0+dfsg-1 |
Detection & IOCsextracted from sources · hover to see the quote
- →Unauthenticated GET request to zabbix.php with action=dashboard.view and a dashboardid parameter returns HTTP 200 with 'Dashboard' in the body — indicates successful auth bypass exploitation. ↗
- →Detect Zabbix instances by matching response body for any of: 'warning [refreshed every', 'zabbix-logo', or 'content="zabbix sia' — used as a pre-check before attempting the auth bypass. ↗
- →Shodan query to identify exposed Zabbix servers by favicon hash for targeting/detection. ↗
- →FOFA query to identify Zabbix servers with SAML enabled, which may be targeted for this auth bypass. ↗
- →Google dork to identify exposed Zabbix servers. ↗
- →The exploit chains the auth bypass (CVE-2019-17382) with a Stored XSS via the Map Navigation Tree widget 'Name' parameter on the dashboard — monitor for unauthenticated POST requests to dashboard creation endpoints. ↗
- ·The vulnerability is considered 'not a bug' by Zabbix upstream — it is resolved by disabling the guest account rather than a code patch. Ensure guest/anonymous access is disabled in Zabbix configuration. ↗
- ·The nuclei template uses a clusterbomb attack iterating dashboardid values from a numbers wordlist, meaning detection rules should account for sequential numeric dashboardid enumeration in unauthenticated requests. ↗
CVSS provenance
nvdv3.19.1CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
nvdv2.06.4MEDIUMAV:N/AC:L/Au:N/C:P/I:P/A:N
osv9.1CRITICAL
vendor_debian9.1CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Debian
CVE-2019-17382: zabbix - An issue was discovered in zabbix.php?action=dashboard.view&dashboardid=1 in Zab...
vendor_debian·2019·CVSS 9.1
CVE-2019-17382 [CRITICAL] CVE-2019-17382: zabbix - An issue was discovered in zabbix.php?action=dashboard.view&dashboardid=1 in Zab...
An issue was discovered in zabbix.php?action=dashboard.view&dashboardid=1 in Zabbix through 4.4. An attacker can bypass the login page and access the dashboard page, and then create a Dashboard, Report, Screen, or Map without any Username/Password (i.e., anonymously). All created elements (Dashboard/Report/Screen/Map) are accessible by other users and by an admin.
Scope: local
bookworm: resolved (fixed in 1:5.0.0+dfsg-1)
bullseye: resolved (fixed in 1:5.0.0+dfsg-1)
forky: resolved (fixed in 1:5.0.0+dfsg-1)
sid: resolved (fixed in 1:5.0.0+dfsg-1)
trixie: resolved (fixed in 1:5.0.0+dfsg-1)
GHSA
GHSA-x4g7-vjj9-57q3: An issue was discovered in zabbix
ghsa_unreviewed·2022-05-24
CVE-2019-17382 [MEDIUM] CWE-639 GHSA-x4g7-vjj9-57q3: An issue was discovered in zabbix
An issue was discovered in zabbix.php?action=dashboard.view&dashboardid=1 in Zabbix through 4.4. An attacker can bypass the login page and access the dashboard page, and then create a Dashboard, Report, Screen, or Map without any Username/Password (i.e., anonymously). All created elements (Dashboard/Report/Screen/Map) are accessible by other users and by an admin.
OSV
CVE-2019-17382: An issue was discovered in zabbix
osv·2019-10-09·CVSS 9.1
CVE-2019-17382 [CRITICAL] CVE-2019-17382: An issue was discovered in zabbix
An issue was discovered in zabbix.php?action=dashboard.view&dashboardid=1 in Zabbix through 4.4. An attacker can bypass the login page and access the dashboard page, and then create a Dashboard, Report, Screen, or Map without any Username/Password (i.e., anonymously). All created elements (Dashboard/Report/Screen/Map) are accessible by other users and by an admin.
No detection rules found.
Exploit-DB
Zabbix 3.4.7 - Stored XSS
exploitdb·2021-03-31·CVSS 9.1
CVE-2019-17382 [CRITICAL] Zabbix 3.4.7 - Stored XSS
Zabbix 3.4.7 - Stored XSS
---
# Exploit Title: Zabbix 3.4.7 - Stored XSS
# Date: 30-03-2021
# Exploit Author: Radmil Gazizov
# Vendor Homepage: https://www.zabbix.com/
# Software Link: https://www.zabbix.com/rn/rn3.4.7
# Version: 3.4.7
# Tested on: Linux
# Reference -
https://github.com/GloryToMoon/POC_codes/blob/main/zabbix_stored_xss_347.txt
1- Go to /zabbix/zabbix.php?action=dashboard.list (anonymous login CVE-2019-17382)
2- Create new dashboard
3- Add a new widget => Type: Map nabigation tree
4- Past into parameter "Name":
5- Click to "Add" button
Nuclei
Zabbix <=4.4 - Authentication Bypass
nuclei·CVSS 9.1
CVE-2019-17382 [CRITICAL] Zabbix <=4.4 - Authentication Bypass
Zabbix =4.4) to mitigate this vulnerability.
reference:
- https://www.exploit-db.com/exploits/47467
- https://nvd.nist.gov/vuln/detail/CVE-2019-17382
- https://lists.debian.org/debian-lts-announce/2023/08/msg00027.html
- https://github.com/huimzjty/vulwiki
- https://github.com/merlinepedra25/nuclei-templates
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
cvss-score: 9.1
cve-id: CVE-2019-17382
cwe-id: CWE-639
epss-score: 0.93689
epss-percentile: 0.99848
cpe: cpe:2.3:a:zabbix:zabbix:*:*:*:*:*:*:*:*
metadata:
max-request: 100
vendor: zabbix
product: zabbix
shodan-query:
- http.favicon.hash:892542951
- http.title:"zabbix-server"
- cpe:"cpe:2.3:a:zabbix:zabbix"
fofa-query:
- icon_hash=892542951
- app="zabbix-监控系统" && body="saml"
- title="zabbix-server"
google-query:
Bugzilla
CVE-2019-17382 zabbix: authentication bypass allows access to dashboard page [epel-7]
bugzilla·2019-11-18·CVSS 9.1
CVE-2019-17382 [CRITICAL] CVE-2019-17382 zabbix: authentication bypass allows access to dashboard page [epel-7]
CVE-2019-17382 zabbix: authentication bypass allows access to dashboard page [epel-7]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of epel-7.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
Discussion:
Use the following template to for t
Bugzilla
CVE-2019-17382 zabbix: authentication bypass allows access to dashboard page
bugzilla·2019-11-18·CVSS 9.1
CVE-2019-17382 [CRITICAL] CVE-2019-17382 zabbix: authentication bypass allows access to dashboard page
CVE-2019-17382 zabbix: authentication bypass allows access to dashboard page
An issue was discovered in zabbix.php?action=dashboard.view&dashboardid=1 in Zabbix through 4.4. An attacker can bypass the login page and access the dashboard page, and then create a Dashboard, Report, Screen, or Map without any Username/Password (i.e., anonymously). All created elements (Dashboard/Report/Screen/Map) are accessible by other users and by an admin.
https://www.exploit-db.com/exploits/47467
Discussion:
Created zabbix tracking bugs for this issue:
Affects: epel-6 [bug 1773711]
Affects: epel-7 [bug 1773712]
Affects: epel-8 [bug 1773713]
Affects: fedora-all [bug 1773710]
---
This CVE Bugzilla entry is for community support informational purposes only as it does not affect a package in a commerci
Bugzilla
CVE-2019-17382 zabbix: authentication bypass allows access to dashboard page [fedora-all]
bugzilla·2019-11-18·CVSS 9.1
CVE-2019-17382 [CRITICAL] CVE-2019-17382 zabbix: authentication bypass allows access to dashboard page [fedora-all]
CVE-2019-17382 zabbix: authentication bypass allows access to dashboard page [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple suppor
Bugzilla
CVE-2019-17382 zabbix: authentication bypass allows access to dashboard page [epel-6]
bugzilla·2019-11-18·CVSS 9.1
CVE-2019-17382 [CRITICAL] CVE-2019-17382 zabbix: authentication bypass allows access to dashboard page [epel-6]
CVE-2019-17382 zabbix: authentication bypass allows access to dashboard page [epel-6]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of epel-6.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
Discussion:
Use the following template to for t
Bugzilla
CVE-2019-17382 zabbix: authentication bypass allows access to dashboard page [epel-8]
bugzilla·2019-11-18·CVSS 9.1
CVE-2019-17382 [CRITICAL] CVE-2019-17382 zabbix: authentication bypass allows access to dashboard page [epel-8]
CVE-2019-17382 zabbix: authentication bypass allows access to dashboard page [epel-8]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of epel-8.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
Discussion:
Use the following template to for t
2019-10-09
Published