{"api_version":"1","generated_at":"2026-04-23T04:34:04+00:00","cve":"CVE-2021-27927","urls":{"html":"https://cve.report/CVE-2021-27927","api":"https://cve.report/api/cve/CVE-2021-27927.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2021-27927","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2021-27927"},"summary":{"title":"CVE-2021-27927","description":"In Zabbix from 4.0.x before 4.0.28rc1, 5.0.0alpha1 before 5.0.10rc1, 5.2.x before 5.2.6rc1, and 5.4.0alpha1 before 5.4.0beta2, the CControllerAuthenticationUpdate controller lacks a CSRF protection mechanism. The code inside this controller calls diableSIDValidation inside the init() method. An attacker doesn't have to know Zabbix user login credentials, but has to know the correct Zabbix URL and contact information of an existing user with sufficient privileges.","state":"PUBLIC","assigner":"cve@mitre.org","published_at":"2021-03-03 17:15:00","updated_at":"2023-04-12 16:15:00"},"problem_types":["CWE-352"],"metrics":[],"references":[{"url":"https://support.zabbix.com/browse/ZBX-18942","name":"https://support.zabbix.com/browse/ZBX-18942","refsource":"MISC","tags":["Issue Tracking","Patch","Vendor Advisory"],"title":"[ZBX-18942] CControllerAuthenticationUpdate controller is not protected by a CSRF token (CVE-2021-27927) - ZABBIX SUPPORT","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://lists.debian.org/debian-lts-announce/2023/04/msg00013.html","name":"[debian-lts-announce] 20230412 [SECURITY] [DLA 3390-1] zabbix security update","refsource":"MLIST","tags":[],"title":"[SECURITY] [DLA 3390-1] zabbix security update","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://www.cve.org/CVERecord?id=CVE-2021-27927","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-27927","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2021","cve_id":"27927","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"zabbix","cpe5":"zabbix","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2021","cve_id":"27927","vulnerable":"1","versionEndIncluding":"4.0.27","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"zabbix","cpe5":"zabbix","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2021","cve_id":"27927","vulnerable":"1","versionEndIncluding":"5.0.9","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"zabbix","cpe5":"zabbix","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2021","cve_id":"27927","vulnerable":"1","versionEndIncluding":"5.2.3","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"zabbix","cpe5":"zabbix","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[{"cve":"CVE-2021-27927","qid":"174907","title":"SUSE Enterprise Linux Security Update for zabbix (SUSE-SU-2021:0990-1)"},{"cve":"CVE-2021-27927","qid":"180546","title":"Debian Security Update for zabbix (CVE-2021-27927)"},{"cve":"CVE-2021-27927","qid":"181729","title":"Debian Security Update for zabbix (DLA 3390-1)"},{"cve":"CVE-2021-27927","qid":"181731","title":"Debian Security Update for zabbix (DLA 3390-1)"},{"cve":"CVE-2021-27927","qid":"501335","title":"Alpine Linux Security Update for zabbix"},{"cve":"CVE-2021-27927","qid":"501726","title":"Alpine Linux Security Update for zabbix"},{"cve":"CVE-2021-27927","qid":"505596","title":"Alpine Linux Security Update for zabbix"},{"cve":"CVE-2021-27927","qid":"751719","title":"OpenSUSE Security Update for zabbix (openSUSE-SU-2022:0036-1)"}]},"source_records":{"cve_program":{"CVE_data_meta":{"ASSIGNER":"cve@mitre.org","ID":"CVE-2021-27927","STATE":"PUBLIC"},"affects":{"vendor":{"vendor_data":[{"product":{"product_data":[{"product_name":"n/a","version":{"version_data":[{"version_value":"n/a"}]}}]},"vendor_name":"n/a"}]}},"data_format":"MITRE","data_type":"CVE","data_version":"4.0","description":{"description_data":[{"lang":"eng","value":"In Zabbix from 4.0.x before 4.0.28rc1, 5.0.0alpha1 before 5.0.10rc1, 5.2.x before 5.2.6rc1, and 5.4.0alpha1 before 5.4.0beta2, the CControllerAuthenticationUpdate controller lacks a CSRF protection mechanism. The code inside this controller calls diableSIDValidation inside the init() method. An attacker doesn't have to know Zabbix user login credentials, but has to know the correct Zabbix URL and contact information of an existing user with sufficient privileges."}]},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"n/a"}]}]},"references":{"reference_data":[{"url":"https://support.zabbix.com/browse/ZBX-18942","refsource":"MISC","name":"https://support.zabbix.com/browse/ZBX-18942"},{"refsource":"MLIST","name":"[debian-lts-announce] 20230412 [SECURITY] [DLA 3390-1] zabbix security update","url":"https://lists.debian.org/debian-lts-announce/2023/04/msg00013.html"}]},"source":{"discovery":"INTERNAL"}},"nvd":{"publishedDate":"2021-03-03 17:15:00","lastModifiedDate":"2023-04-12 16:15:00","problem_types":["CWE-352"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH","baseScore":8.8,"baseSeverity":"HIGH"},"exploitabilityScore":2.8,"impactScore":5.9},"baseMetricV2":{"cvssV2":{"version":"2.0","vectorString":"AV:N/AC:M/Au:N/C:P/I:P/A:P","accessVector":"NETWORK","accessComplexity":"MEDIUM","authentication":"NONE","confidentialityImpact":"PARTIAL","integrityImpact":"PARTIAL","availabilityImpact":"PARTIAL","baseScore":6.8},"severity":"MEDIUM","exploitabilityScore":8.6,"impactScore":6.4,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":true}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:zabbix:zabbix:*:*:*:*:*:*:*:*","versionStartIncluding":"4.0.0","versionEndIncluding":"4.0.27","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:zabbix:zabbix:*:*:*:*:*:*:*:*","versionStartIncluding":"5.0.0","versionEndIncluding":"5.0.9","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:zabbix:zabbix:*:*:*:*:*:*:*:*","versionStartIncluding":"5.2.0","versionEndIncluding":"5.2.3","cpe_name":[]}]}]}},"legacy_mitre":{"record":{"CveYear":"2021","CveId":"27927","Ordinal":"203042","Title":"CVE-2021-27927","CVE":"CVE-2021-27927","Year":"2021"},"notes":[{"CveYear":"2021","CveId":"27927","Ordinal":"1","NoteData":"In Zabbix from 4.0.x before 4.0.28rc1, 5.0.0alpha1 before 5.0.10rc1, 5.2.x before 5.2.6rc1, and 5.4.0alpha1 before 5.4.0beta2, the CControllerAuthenticationUpdate controller lacks a CSRF protection mechanism. The code inside this controller calls diableSIDValidation inside the init() method. An attacker doesn't have to know Zabbix user login credentials, but has to know the correct Zabbix URL and contact information of an existing user with sufficient privileges.","Type":"Description","Title":null},{"CveYear":"2021","CveId":"27927","Ordinal":"2","NoteData":"2021-03-03","Type":"Other","Title":"Published"},{"CveYear":"2021","CveId":"27927","Ordinal":"3","NoteData":"2021-03-29","Type":"Other","Title":"Modified"}]}}}