|Leak of zbx_session cookie when using a scheduled report that includes a dashboard with a URL widget.
|The website configured in the URL widget will receive a session cookie when testing or executing scheduled reports. The received session cookie can then be used to access the frontend as the particular user.
|Common Weakness Enumeration (CWE)
|CWE-565 Reliance on Cookies without Validation and Integrity Checking
|Common Attack Pattern Enumeration and Classification (CAPEC)
|CAPEC-593 Session Hijacking
CAPEC-233 Privilege Escalation
|Known attack vectors
|Any URL can be configured in a URL widget by a Zabbix user. Zabbix session cookie may become known to the holder of this website and to an attacker. The attacker can use the cookie to pretend to be the Zabbix user who created the report and authorize himself in Zabbix frontend with the privileges of this user. Note that scheduled reports are available to Admin and Super admin user types.
|Server, Web service
|Affected version/s and fix version/s
|6.0.0 - 6.0.21 / 6.0.22rc1
6.4.0 - 6.4.6 / 6.4.7rc1
7.0.0alpha1 - 7.0.0alpha3 / 7.0.0alpha4
|Fix compatibility tests
|Configuring only trusted URLs in the URL widget.