Zabbix 5.x < 5.0.46rc1 / 6.x < 6.0.38rc1 / 7.0.x < 7.0.9rc1 / 7.2.x < 7.2.3rc1 User Enumeration (ZBX-26255)

low Nessus Plugin ID 233861

Synopsis

A web application running on the remote host is affected by a user enumeration vulnerability.

Description

The version of Zabbix installed on the remote host affected by a user enumeration vulnerability. Execution time for an unsuccessful login differs when using a non-existing username compared to using an existing one.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

Solution

Upgrade to Zabbix version 5.0.46rc1, 6.0.38rc1, 7.0.9rc1, 7.2.3rc1 or later

See Also

https://support.zabbix.com/browse/ZBX-26255

Plugin Details

Severity: Low

ID: 233861

File Name: zabbix_frontend_ZBX-26255.nasl

Version: 1.1

Type: remote

Family: CGI abuses

Published: 4/4/2025

Updated: 4/4/2025

Configuration: Enable thorough checks

Supported Sensors: Nessus

Enable CGI Scanning: true

Risk Information

VPR

Risk Factor: Medium

Score: 6.7

CVSS v2

Risk Factor: Low

Base Score: 1.8

Vector: CVSS2#AV:A/AC:H/Au:N/C:P/I:N/A:N

CVSS Score Source: CVE-2024-36469

CVSS v3

Risk Factor: Low

Base Score: 2

Vector: CVSS:3.0/AV:A/AC:H/PR:H/UI:N/S:U/C:L/I:N/A:N

Vulnerability Information

CPE: cpe:/a:zabbix:zabbix

Required KB Items: installed_sw/zabbix

Excluded KB Items: Settings/disable_cgi_scanning

Patch Publication Date: 4/1/2025

Vulnerability Publication Date: 4/1/2025

Reference Information

CVE: CVE-2024-36469

IAVA: 2025-A-0215