A bug in the code allows an attacker to sign a forged zbx_session cookie, which then allows them to sign in with admin permissions.
{ "urgency": "not yet assigned" }