Zabbix through 4.4.0alpha1 allows User Enumeration. With login requests, it is possible to enumerate application usernames based on the variability of server responses (e.g., the "Login name or password is incorrect" and "No permissions for system access" messages, or just blocking for a number of seconds). This affects both api_jsonrpc.php and index.php.

Published : 2019-08-17 18:15 Updated : 2019-08-29 14:52

CVSS Score More info
Score 5.0 / 10
Vendor Product Version URI
Zabbix Zabbix 4.2.5 cpe:/a:zabbix:zabbix:4.2.5
Zabbix Zabbix 4.2.6 cpe:/a:zabbix:zabbix:4.2.6:rc1
Zabbix Zabbix 4.4.0 cpe:/a:zabbix:zabbix:4.4.0:alpha1
  1. Zabbix (1) Search CVE
    1. Zabbix (3) Search CVE
      1. 4.2.5
      2. 4.2.6
      3. 4.4.0


ID Name Description Links
CWE-200 Information Exposure An information exposure is the intentional or unintentional disclosure of information to an actor that is not explicitly authorized to have access to that information. CVE


History of changes

Date Event
2019-08-29 14:52
2019-08-17 18:15