[ZBX-7693] User type "Zabbix Admin" users can modify the media for all Zabbix users - Security hole - ZABBIX SUPPORT

XML

Word

Printable

Details

Type: Defect (Security)
Status: Closed
Priority: Critical
Resolution: Fixed
Affects Version/s: 2.2.1
Fix Version/s: 1.8.20rc2, 2.0.11rc2, 2.2.2rc1, 2.3.0
Component/s: Frontend (F)
Labels:
- patch
- permissions
- security
- usermedia

Description

Based on the UI, I would assume (and hope) that only Zabbix Super Admins could modify the media for any user. In the UI, only Zabbix Super Admins can get to the Administration tab to make user changes. Using the API, I did a test today and found that a user of type "Zabbix Admin" user can modify the media for any users in the zabbix system! For history on why I found this, see ZBXNEXT-2122.

CVE-2014-1685

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending
- Thumbnails
- List
- Download All

ZBX-7693-modify-own-profile.patch
2 kB
2014 Jan 23 06:41

Activity

People

Assignee:: Unassigned

Reporter:: Corey Shaw

Votes:: 0 Vote for this issue

Watchers:: 0 Start watching this issue

Dates

Created:: 2014 Jan 23 01:48

Updated:: 2020 Jul 16 14:10

Resolved:: 2014 Feb 06 14:05