CVE-2025-27232 | THREATINT

Description

An authenticated Zabbix Super Admin can exploit the oauth.authorize action to read arbitrary files from the webserver leading to potential confidentiality loss.

PUBLISHED Reserved 2025-02-20 | Published 2025-12-01 | Updated 2025-12-01 | Assigner Zabbix

MEDIUM: 6.8CVSS:4.0/AV:A/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Problem types

CWE-918: Server-Side Request Forgery (SSRF)

Product status

Default status

unknown

7.4.0 (git)

affected

Credits

Zabbix wants to thank o4ncL1 for submitting this report on the HackerOne bug bounty platform. reporter

References

support.zabbix.com/browse/ZBX-27282

cve.org (CVE-2025-27232)

nvd.nist.gov (CVE-2025-27232)

Download JSON