Loading...

XML

Word

Printable

Type: Change Request
Resolution: Fixed
Priority: Trivial
Fix Version/s: 6.4.0rc1, 6.4 (plan)
Affects Version/s: 6.4 (plan)
Component/s: Frontend (F)
Labels:
- security

Sprint:
Sprint 94 (Nov 2022), Sprint 95 (Dec 2022), Sprint 96 (Jan 2023), Sprint 97 (Feb 2023)
Story Points:
4

CSRF tokens should be generated in a way that is not guessable by the attacker, so if an attacker wants to send a request he should first get the CSRF token to include it in the request. Zabbix UI uses part of a session id as a CSRF token and is never changed between requests (not until the session is changed).

- - Sort By Name
  - Sort By Date
  - Ascending
  - Descending
  - Thumbnails
  - List
  - Download All

image-2023-01-29-23-35-38-428.png
128 kB
2023 Jan 29 23:35
image-2023-01-29-23-39-21-113.png
122 kB
2023 Jan 29 23:39
image-2023-01-30-13-14-02-890.png
21 kB
2023 Jan 30 13:14
image-2023-01-30-13-15-35-403.png
54 kB
2023 Jan 30 13:15
screenshot-1.png
61 kB
2023 Jan 31 14:15

causes

ZBX-25087 Documentation scenario doesn't match Zabbix frontend (9 Web monitoring / 2 Real-life scenario)

Closed

ZBX-22526 Can't delete just exported template

Closed

ZBX-22811 CSRF token visible in link in Monitoring->Hosts

Closed

mentioned in: Page Loading...; Page Loading...

Assignee:: Gregory Chalenko

Reporter:: Vjaceslavs Bogdanovs

Team:: Team C

Votes:: 0 Vote for this issue

Watchers:: 13 Start watching this issue

Created:: 2022 Nov 01 13:45

Updated:: 2024 Aug 28 09:45

Resolved:: 2023 Feb 19 21:12

Details

Description

Attachments

Attachments

Issue Links

Activity

People

Dates