An authenticated user with API access (e.g.: user with default User role), more specifically a user with access to the user.update API endpoint is enough to be able to add themselves to any group (e.g.: Zabbix Administrators), except to groups that are disabled or having restricted GUI access.
Authentication privilege escalation via user groups due to missing authorization checks (CVE-2024-36467)
- Zabbix Support Team
- Vjaceslavs Bogdanovs
- Votes:
-
0 Vote for this issue
- Watchers:
-
1 Start watching this issue
- Created:
- Updated:
- Resolved: