SB2025100639 - Multiple vulnerabilities in Zabbix

Description

This security bulletin contains information about 2 secuirty vulnerabilities.

1) Information disclosure (CVE-ID: CVE-2025-27231)

The vulnerability allows a remote user to gain access to sensitive information.

The vulnerability exists due to a logic error when updating LDAP configuration. A remote authenticated administrator can change the 'Host' field of the LDAP server to an arbitrary value and recover the previously saved password for the previous connection. 

2) Improper access control (CVE-ID: CVE-2025-49641)

The vulnerability allows a remote user to gain unauthorized access to otherwise restricted functionality.

The vulnerability exists due to improper access restrictions for the problem.view.refresh action. A remote user with no permission to the "Monitoring -> Problems" view can call the problem.view.refresh action and therefore still retrieve a list of active problems.

Remediation

Install update from vendor's website.

References

• https://support.zabbix.com/browse/ZBX-27062
• https://support.zabbix.com/browse/ZBX-27063