CVE-2011-4615
Description
Multiple cross-site scripting (XSS) vulnerabilities in Zabbix before 1.8.10 allow remote attackers to inject arbitrary web script or HTML via the gname parameter (aka host groups name) to (1) hostgroups.php and (2) usergrps.php, the update action to (3) hosts.php and (4) scripts.php, and (5) maintenance.php.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Multiple stored XSS flaws in Zabbix before 1.8.10 allow remote attackers to inject arbitrary script via the gname parameter in hostgroups.php, usergrps.php, hosts.php, scripts.php, and maintenance.php.
Vulnerability
Zabbix versions before 1.8.10 are affected by multiple cross-site scripting (XSS) vulnerabilities. The flaws reside in hostgroups.php, usergrps.php, hosts.php, scripts.php, and maintenance.php. An attacker can inject arbitrary web script or HTML via the gname parameter (host groups name) in hostgroups.php and usergrps.php, via the update action in hosts.php and scripts.php, and also in maintenance.php. The issue was reported as ZBX-4015 and affects version 1.8.5 and likely earlier versions [1].
Exploitation
An attacker needs only to be able to submit crafted input through the affected parameters. No authentication is explicitly required; if any of these pages are accessible, the attack can be performed. The injected script will be stored and later executed in the context of a victim’s browser when the page is loaded, making this a stored XSS [1].
Impact
Successful exploitation allows an attacker to execute arbitrary JavaScript in the browser of any user viewing the affected pages. This can lead to session hijacking, defacement, or theft of sensitive information displayed in the Zabbix interface [1].
Mitigation
The vulnerability was fixed in Zabbix version 1.8.10 [1]. Users should upgrade to 1.8.10 or later. For those who cannot upgrade immediately, the only workaround is to restrict access to the affected pages through network controls or authentication [1]. Red Hat and Fedora package updates were also issued in January 2012 [2][3].
AI Insight generated on May 24, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
85cpe:2.3:a:zabbix:zabbix:1.1:*:*:*:*:*:*:*+ 84 more
- cpe:2.3:a:zabbix:zabbix:1.1:*:*:*:*:*:*:*
- cpe:2.3:a:zabbix:zabbix:1.1.1:*:*:*:*:*:*:*
- cpe:2.3:a:zabbix:zabbix:1.1.2:*:*:*:*:*:*:*
- cpe:2.3:a:zabbix:zabbix:1.1.3:*:*:*:*:*:*:*
- cpe:2.3:a:zabbix:zabbix:1.1.4:*:*:*:*:*:*:*
- cpe:2.3:a:zabbix:zabbix:1.1.5:*:*:*:*:*:*:*
- cpe:2.3:a:zabbix:zabbix:1.1.6:*:*:*:*:*:*:*
- cpe:2.3:a:zabbix:zabbix:1.1.7:*:*:*:*:*:*:*
- cpe:2.3:a:zabbix:zabbix:1.1:beta10:*:*:*:*:*:*
- cpe:2.3:a:zabbix:zabbix:1.1:beta11:*:*:*:*:*:*
- cpe:2.3:a:zabbix:zabbix:1.1:beta12:*:*:*:*:*:*
- cpe:2.3:a:zabbix:zabbix:1.1:beta2:*:*:*:*:*:*
- cpe:2.3:a:zabbix:zabbix:1.1:beta3:*:*:*:*:*:*
- cpe:2.3:a:zabbix:zabbix:1.1:beta4:*:*:*:*:*:*
- cpe:2.3:a:zabbix:zabbix:1.1:beta5:*:*:*:*:*:*
- cpe:2.3:a:zabbix:zabbix:1.1:beta6:*:*:*:*:*:*
- cpe:2.3:a:zabbix:zabbix:1.1:beta7:*:*:*:*:*:*
- cpe:2.3:a:zabbix:zabbix:1.1:beta8:*:*:*:*:*:*
- cpe:2.3:a:zabbix:zabbix:1.1:beta9:*:*:*:*:*:*
- cpe:2.3:a:zabbix:zabbix:1.3.1:beta:*:*:*:*:*:*
- cpe:2.3:a:zabbix:zabbix:1.3.2:beta:*:*:*:*:*:*
- cpe:2.3:a:zabbix:zabbix:1.3.3:beta:*:*:*:*:*:*
- cpe:2.3:a:zabbix:zabbix:1.3.4:beta:*:*:*:*:*:*
- cpe:2.3:a:zabbix:zabbix:1.3.5:beta:*:*:*:*:*:*
- cpe:2.3:a:zabbix:zabbix:1.3.6:beta:*:*:*:*:*:*
- cpe:2.3:a:zabbix:zabbix:1.3.7:beta:*:*:*:*:*:*
- cpe:2.3:a:zabbix:zabbix:1.3.8:beta:*:*:*:*:*:*
- cpe:2.3:a:zabbix:zabbix:1.3:beta:*:*:*:*:*:*
- cpe:2.3:a:zabbix:zabbix:1.4:*:*:*:*:*:*:*
- cpe:2.3:a:zabbix:zabbix:1.4.1:*:*:*:*:*:*:*
- cpe:2.3:a:zabbix:zabbix:1.4.2:*:*:*:*:*:*:*
- cpe:2.3:a:zabbix:zabbix:1.4.3:*:*:*:*:*:*:*
- cpe:2.3:a:zabbix:zabbix:1.4.4:*:*:*:*:*:*:*
- cpe:2.3:a:zabbix:zabbix:1.4.5:*:*:*:*:*:*:*
- cpe:2.3:a:zabbix:zabbix:1.4.6:*:*:*:*:*:*:*
- cpe:2.3:a:zabbix:zabbix:1.5.1:beta:*:*:*:*:*:*
- cpe:2.3:a:zabbix:zabbix:1.5.2:beta:*:*:*:*:*:*
- cpe:2.3:a:zabbix:zabbix:1.5.3:beta:*:*:*:*:*:*
- cpe:2.3:a:zabbix:zabbix:1.5.4:beta:*:*:*:*:*:*
- cpe:2.3:a:zabbix:zabbix:1.5:beta:*:*:*:*:*:*
- cpe:2.3:a:zabbix:zabbix:1.6:*:*:*:*:*:*:*
- cpe:2.3:a:zabbix:zabbix:1.6.1:*:*:*:*:*:*:*
- cpe:2.3:a:zabbix:zabbix:1.6.2:*:*:*:*:*:*:*
- cpe:2.3:a:zabbix:zabbix:1.6.3:*:*:*:*:*:*:*
- cpe:2.3:a:zabbix:zabbix:1.6.4:*:*:*:*:*:*:*
- cpe:2.3:a:zabbix:zabbix:1.6.5:*:*:*:*:*:*:*
- cpe:2.3:a:zabbix:zabbix:1.6.6:*:*:*:*:*:*:*
- cpe:2.3:a:zabbix:zabbix:1.6.7:*:*:*:*:*:*:*
- cpe:2.3:a:zabbix:zabbix:1.6.8:*:*:*:*:*:*:*
- cpe:2.3:a:zabbix:zabbix:1.6.9:*:*:*:*:*:*:*
- cpe:2.3:a:zabbix:zabbix:1.7:*:*:*:*:*:*:*
- cpe:2.3:a:zabbix:zabbix:1.7.1:*:*:*:*:*:*:*
- cpe:2.3:a:zabbix:zabbix:1.7.2:*:*:*:*:*:*:*
- cpe:2.3:a:zabbix:zabbix:1.7.3:*:*:*:*:*:*:*
- cpe:2.3:a:zabbix:zabbix:1.7.4:*:*:*:*:*:*:*
- cpe:2.3:a:zabbix:zabbix:1.8:*:*:*:*:*:*:*
- cpe:2.3:a:zabbix:zabbix:1.8.1:*:*:*:*:*:*:*
- cpe:2.3:a:zabbix:zabbix:1.8.10:rc1:*:*:*:*:*:*
- cpe:2.3:a:zabbix:zabbix:1.8.2:*:*:*:*:*:*:*
- cpe:2.3:a:zabbix:zabbix:1.8.3:*:*:*:*:*:*:*
- cpe:2.3:a:zabbix:zabbix:1.8.3:rc1:*:*:*:*:*:*
- cpe:2.3:a:zabbix:zabbix:1.8.3:rc2:*:*:*:*:*:*
- cpe:2.3:a:zabbix:zabbix:1.8.3:rc3:*:*:*:*:*:*
- cpe:2.3:a:zabbix:zabbix:1.8.3:rc4:*:*:*:*:*:*
- cpe:2.3:a:zabbix:zabbix:1.8.4:*:*:*:*:*:*:*
- cpe:2.3:a:zabbix:zabbix:1.8.4:rc1:*:*:*:*:*:*
- cpe:2.3:a:zabbix:zabbix:1.8.4:rc2:*:*:*:*:*:*
- cpe:2.3:a:zabbix:zabbix:1.8.4:rc3:*:*:*:*:*:*
- cpe:2.3:a:zabbix:zabbix:1.8.4:rc4:*:*:*:*:*:*
- cpe:2.3:a:zabbix:zabbix:1.8.5:*:*:*:*:*:*:*
- cpe:2.3:a:zabbix:zabbix:1.8.5:rc1:*:*:*:*:*:*
- cpe:2.3:a:zabbix:zabbix:1.8.6:*:*:*:*:*:*:*
- cpe:2.3:a:zabbix:zabbix:1.8.6:rc1:*:*:*:*:*:*
- cpe:2.3:a:zabbix:zabbix:1.8.6:rc2:*:*:*:*:*:*
- cpe:2.3:a:zabbix:zabbix:1.8.7:*:*:*:*:*:*:*
- cpe:2.3:a:zabbix:zabbix:1.8.7:rc1:*:*:*:*:*:*
- cpe:2.3:a:zabbix:zabbix:1.8.8:*:*:*:*:*:*:*
- cpe:2.3:a:zabbix:zabbix:1.8.8:rc1:*:*:*:*:*:*
- cpe:2.3:a:zabbix:zabbix:1.8.8:rc2:*:*:*:*:*:*
- cpe:2.3:a:zabbix:zabbix:1.8.8:rc3:*:*:*:*:*:*
- cpe:2.3:a:zabbix:zabbix:1.8.9:*:*:*:*:*:*:*
- cpe:2.3:a:zabbix:zabbix:1.8.9:rc1:*:*:*:*:*:*
- cpe:2.3:a:zabbix:zabbix:1.8.9:rc2:*:*:*:*:*:*
- cpe:2.3:a:zabbix:zabbix:*:rc2:*:*:*:*:*:*range: <=1.8.10
- (no CPE)range: <1.8.10
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
8- secunia.com/advisories/47216nvdVendor Advisory
- support.zabbix.com/browse/ZBX-4015nvdVendor Advisory
- lists.fedoraproject.org/pipermail/package-announce/2012-January/071660.htmlnvd
- lists.fedoraproject.org/pipermail/package-announce/2012-January/071687.htmlnvd
- osvdb.org/77771nvd
- www.securityfocus.com/bid/51093nvd
- www.zabbix.com/rn1.8.10.phpnvd
- exchange.xforce.ibmcloud.com/vulnerabilities/71855nvd
News mentions
0No linked articles in our index yet.