CVE-2025-49641 | THREATINT

Description

A regular Zabbix user with no permission to the Monitoring -> Problems view is still able to call the problem.view.refresh action and therefore still retrieve a list of active problems.

PUBLISHED Reserved 2025-06-09 | Published 2025-10-03 | Updated 2025-10-03 | Assigner Zabbix

MEDIUM: 5.1CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Problem types

CWE-863: Incorrect Authorization

Product status

Default status

unknown

6.0.0 (git)

affected

7.0.0 (git)

affected

7.2.0 (git)

affected

7.4.0 (git)

affected

Credits

Zabbix wants to thank Y. Kahveci for finding and reporting this issue. reporter

References

support.zabbix.com/browse/ZBX-27063

cve.org (CVE-2025-49641)

nvd.nist.gov (CVE-2025-49641)

Download JSON