Damian Tommasino

**Name of the Vulnerable Software and Affected Versions** Zabbix versions prior to 1.8.6 **Description** A cross-site scripting (XSS) issue allows remote attackers to inject arbitrary web script or HTML via the `backurl` parameter in the acknow.php file. **Recommendations** For versions prior to 1.8.6, update to version 1.8.6 or later to resolve the issue. As a temporary workaround, consider restricting access to the acknow.php file or avoiding the use of the `backurl` parameter until the update is applied.

**Name of the Vulnerable Software and Affected Versions** Zabbix versions prior to 1.8.6 **Description** The issue allows remote attackers to obtain sensitive information via an invalid `srcfld2` parameter to "popup.php", which reveals the installation path in an error message. **Recommendations** For versions prior to 1.8.6, update to version 1.8.6 or later to resolve the issue. As a temporary workaround, consider restricting access to the "popup.php" endpoint until a patch is available. Avoid using the `srcfld2` parameter in the affected endpoint until the issue is resolved.