CVE-2011-2904
Description
Cross-site scripting (XSS) vulnerability in acknow.php in Zabbix before 1.8.6 allows remote attackers to inject arbitrary web script or HTML via the backurl parameter.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Cross-site scripting (XSS) vulnerability in Zabbix before 1.8.6 allows remote attackers to inject arbitrary web script or HTML via the backurl parameter in acknow.php.
Vulnerability
A cross-site scripting (XSS) vulnerability exists in Zabbix versions prior to 1.8.6. The flaw resides in the acknow.php script, where the backurl parameter is not properly sanitized before being reflected back to the user. This allows an attacker to inject arbitrary web script or HTML. The issue was reported in Secunia advisories [1][2] and tracked in Red Hat Bugzilla [3].
Exploitation
An attacker can exploit this vulnerability by crafting a malicious URL containing a backurl parameter with embedded JavaScript or HTML. The victim must be tricked into clicking the link, which then executes the injected code in the context of the Zabbix web interface. No authentication is required to trigger the XSS, as the vulnerable parameter is processed without proper validation.
Impact
Successful exploitation allows the attacker to execute arbitrary script in the victim's browser within the Zabbix application's security context. This can lead to session hijacking, defacement, or theft of sensitive information displayed in the Zabbix interface. The impact is limited to the browser session of the targeted user.
Mitigation
The vulnerability is fixed in Zabbix version 1.8.6, released on August 8, 2011 [3]. Users should upgrade to 1.8.6 or later. No workarounds are documented; upgrading is the recommended action. The CVE was assigned on August 9, 2011 [4].
AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
68cpe:2.3:a:zabbix:zabbix:*:*:*:*:*:*:*:*+ 67 more
- cpe:2.3:a:zabbix:zabbix:*:*:*:*:*:*:*:*range: <=1.8.5
- cpe:2.3:a:zabbix:zabbix:1.1:*:*:*:*:*:*:*
- cpe:2.3:a:zabbix:zabbix:1.1.1:*:*:*:*:*:*:*
- cpe:2.3:a:zabbix:zabbix:1.1.2:*:*:*:*:*:*:*
- cpe:2.3:a:zabbix:zabbix:1.1.3:*:*:*:*:*:*:*
- cpe:2.3:a:zabbix:zabbix:1.1.4:*:*:*:*:*:*:*
- cpe:2.3:a:zabbix:zabbix:1.1.5:*:*:*:*:*:*:*
- cpe:2.3:a:zabbix:zabbix:1.1.6:*:*:*:*:*:*:*
- cpe:2.3:a:zabbix:zabbix:1.1.7:*:*:*:*:*:*:*
- cpe:2.3:a:zabbix:zabbix:1.1:beta10:*:*:*:*:*:*
- cpe:2.3:a:zabbix:zabbix:1.1:beta11:*:*:*:*:*:*
- cpe:2.3:a:zabbix:zabbix:1.1:beta12:*:*:*:*:*:*
- cpe:2.3:a:zabbix:zabbix:1.1:beta2:*:*:*:*:*:*
- cpe:2.3:a:zabbix:zabbix:1.1:beta3:*:*:*:*:*:*
- cpe:2.3:a:zabbix:zabbix:1.1:beta4:*:*:*:*:*:*
- cpe:2.3:a:zabbix:zabbix:1.1:beta5:*:*:*:*:*:*
- cpe:2.3:a:zabbix:zabbix:1.1:beta6:*:*:*:*:*:*
- cpe:2.3:a:zabbix:zabbix:1.1:beta7:*:*:*:*:*:*
- cpe:2.3:a:zabbix:zabbix:1.1:beta8:*:*:*:*:*:*
- cpe:2.3:a:zabbix:zabbix:1.1:beta9:*:*:*:*:*:*
- cpe:2.3:a:zabbix:zabbix:1.3.1:beta:*:*:*:*:*:*
- cpe:2.3:a:zabbix:zabbix:1.3.2:beta:*:*:*:*:*:*
- cpe:2.3:a:zabbix:zabbix:1.3.3:beta:*:*:*:*:*:*
- cpe:2.3:a:zabbix:zabbix:1.3.4:beta:*:*:*:*:*:*
- cpe:2.3:a:zabbix:zabbix:1.3.5:beta:*:*:*:*:*:*
- cpe:2.3:a:zabbix:zabbix:1.3.6:beta:*:*:*:*:*:*
- cpe:2.3:a:zabbix:zabbix:1.3.7:beta:*:*:*:*:*:*
- cpe:2.3:a:zabbix:zabbix:1.3.8:beta:*:*:*:*:*:*
- cpe:2.3:a:zabbix:zabbix:1.3:beta:*:*:*:*:*:*
- cpe:2.3:a:zabbix:zabbix:1.4.2:*:*:*:*:*:*:*
- cpe:2.3:a:zabbix:zabbix:1.4.3:*:*:*:*:*:*:*
- cpe:2.3:a:zabbix:zabbix:1.4.4:*:*:*:*:*:*:*
- cpe:2.3:a:zabbix:zabbix:1.4.5:*:*:*:*:*:*:*
- cpe:2.3:a:zabbix:zabbix:1.4.6:*:*:*:*:*:*:*
- cpe:2.3:a:zabbix:zabbix:1.5.1:beta:*:*:*:*:*:*
- cpe:2.3:a:zabbix:zabbix:1.5.2:beta:*:*:*:*:*:*
- cpe:2.3:a:zabbix:zabbix:1.5.3:beta:*:*:*:*:*:*
- cpe:2.3:a:zabbix:zabbix:1.5.4:beta:*:*:*:*:*:*
- cpe:2.3:a:zabbix:zabbix:1.5:beta:*:*:*:*:*:*
- cpe:2.3:a:zabbix:zabbix:1.6:*:*:*:*:*:*:*
- cpe:2.3:a:zabbix:zabbix:1.6.1:*:*:*:*:*:*:*
- cpe:2.3:a:zabbix:zabbix:1.6.2:*:*:*:*:*:*:*
- cpe:2.3:a:zabbix:zabbix:1.6.3:*:*:*:*:*:*:*
- cpe:2.3:a:zabbix:zabbix:1.6.4:*:*:*:*:*:*:*
- cpe:2.3:a:zabbix:zabbix:1.6.5:*:*:*:*:*:*:*
- cpe:2.3:a:zabbix:zabbix:1.6.6:*:*:*:*:*:*:*
- cpe:2.3:a:zabbix:zabbix:1.6.7:*:*:*:*:*:*:*
- cpe:2.3:a:zabbix:zabbix:1.6.8:*:*:*:*:*:*:*
- cpe:2.3:a:zabbix:zabbix:1.6.9:*:*:*:*:*:*:*
- cpe:2.3:a:zabbix:zabbix:1.7:*:*:*:*:*:*:*
- cpe:2.3:a:zabbix:zabbix:1.7.1:*:*:*:*:*:*:*
- cpe:2.3:a:zabbix:zabbix:1.7.2:*:*:*:*:*:*:*
- cpe:2.3:a:zabbix:zabbix:1.7.3:*:*:*:*:*:*:*
- cpe:2.3:a:zabbix:zabbix:1.7.4:*:*:*:*:*:*:*
- cpe:2.3:a:zabbix:zabbix:1.8:*:*:*:*:*:*:*
- cpe:2.3:a:zabbix:zabbix:1.8.1:*:*:*:*:*:*:*
- cpe:2.3:a:zabbix:zabbix:1.8.2:*:*:*:*:*:*:*
- cpe:2.3:a:zabbix:zabbix:1.8.3:*:*:*:*:*:*:*
- cpe:2.3:a:zabbix:zabbix:1.8.3:rc1:*:*:*:*:*:*
- cpe:2.3:a:zabbix:zabbix:1.8.3:rc2:*:*:*:*:*:*
- cpe:2.3:a:zabbix:zabbix:1.8.3:rc3:*:*:*:*:*:*
- cpe:2.3:a:zabbix:zabbix:1.8.4:*:*:*:*:*:*:*
- cpe:2.3:a:zabbix:zabbix:1.8.4:rc1:*:*:*:*:*:*
- cpe:2.3:a:zabbix:zabbix:1.8.4:rc2:*:*:*:*:*:*
- cpe:2.3:a:zabbix:zabbix:1.8.4:rc3:*:*:*:*:*:*
- cpe:2.3:a:zabbix:zabbix:1.8.4:rc4:*:*:*:*:*:*
- cpe:2.3:a:zabbix:zabbix:1.8.5:rc1:*:*:*:*:*:*
- (no CPE)range: <1.8.6
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
11- www.zabbix.com/rn1.8.6.phpnvdPatch
- support.zabbix.com/browse/ZBX-3835nvdExploit
- secunia.com/advisories/45502nvdVendor Advisory
- secunia.com/advisories/45677nvdVendor Advisory
- lists.fedoraproject.org/pipermail/package-announce/2011-August/063884.htmlnvd
- lists.fedoraproject.org/pipermail/package-announce/2011-August/063904.htmlnvd
- www.openwall.com/lists/oss-security/2011/08/08/2nvd
- www.openwall.com/lists/oss-security/2011/08/09/5nvd
- www.securityfocus.com/bid/49016nvd
- bugzilla.redhat.com/show_bug.cginvd
- exchange.xforce.ibmcloud.com/vulnerabilities/69025nvd
News mentions
0No linked articles in our index yet.