Martina Matari

**Name of the Vulnerable Software and Affected Versions** Zabbix versions prior to 1.8.10 **Description** The issue allows remote attackers to inject arbitrary web script or HTML via specific parameters to various PHP files, including `hostgroups.php`, `usergrps.php`, `hosts.php`, `scripts.php`, and `maintenance.php`. The `gname` parameter, also known as host groups name, is particularly vulnerable. This can lead to cross-site scripting (XSS) attacks. **Recommendations** For versions prior to 1.8.10, update to version 1.8.10 or later to resolve the issue. As a temporary workaround, consider restricting access to the vulnerable PHP files, such as `hostgroups.php`, `usergrps.php`, `hosts.php`, `scripts.php`, and `maintenance.php`, until the update can be applied. Avoid using the `gname` parameter in the affected API endpoints until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** ZABBIX versions prior to 1.8.10 **Description** A cross-site scripting (XSS) issue allows remote attackers to inject arbitrary web script or HTML via unspecified vectors related to the profiler. **Recommendations** For versions prior to 1.8.10, update to version 1.8.10 or later to resolve the issue.