Summary: Leak of zbx_session cookie when using a scheduled report that includes a dashboard with a URL widget. Description: The website configured in the URL widget will receive a session cookie when testing or executing scheduled reports. The received session cookie can then be used to access the frontend as the particular user. Known attack vectors: Any URL can be configured in a URL widget by a Zabbix user. Zabbix session cookie may become known to the holder of this website and to an attacker. The attacker can use the cookie to pretend to be the Zabbix user who created the report and authorize himself in Zabbix frontend with the privileges of this user. Note that scheduled reports are available to Admin and Super admin user types. Affected versions: 6.0.0 - 6.0.21, 6.4.0 - 6.4.6, 7.0.0alpha1 - 7.0.0alpha3
Created zabbix tracking bugs for this issue: Affects: epel-all [bug 2255112] Affects: fedora-all [bug 2255113]