Vulnerability Details : CVE-2011-2904
Cross-site scripting (XSS) vulnerability in acknow.php in Zabbix before 1.8.6 allows remote attackers to inject arbitrary web script or HTML via the backurl parameter.
Vulnerability category: Cross site scripting (XSS)
Products affected by CVE-2011-2904
- cpe:2.3:a:zabbix:zabbix:*:*:*:*:*:*:*:*
- cpe:2.3:a:zabbix:zabbix:1.1.2:*:*:*:*:*:*:*
- cpe:2.3:a:zabbix:zabbix:1.1.3:*:*:*:*:*:*:*
- cpe:2.3:a:zabbix:zabbix:1.1.5:*:*:*:*:*:*:*
- cpe:2.3:a:zabbix:zabbix:1.4.2:*:*:*:*:*:*:*
- cpe:2.3:a:zabbix:zabbix:1.4.3:*:*:*:*:*:*:*
- cpe:2.3:a:zabbix:zabbix:1.1.4:*:*:*:*:*:*:*
- cpe:2.3:a:zabbix:zabbix:1.6.6:*:*:*:*:*:*:*
- cpe:2.3:a:zabbix:zabbix:1.7:*:*:*:*:*:*:*
- cpe:2.3:a:zabbix:zabbix:1.7.2:*:*:*:*:*:*:*
- cpe:2.3:a:zabbix:zabbix:1.7.1:*:*:*:*:*:*:*
- cpe:2.3:a:zabbix:zabbix:1.7.3:*:*:*:*:*:*:*
- cpe:2.3:a:zabbix:zabbix:1.6.7:*:*:*:*:*:*:*
- cpe:2.3:a:zabbix:zabbix:1.6.8:*:*:*:*:*:*:*
- cpe:2.3:a:zabbix:zabbix:1.4.4:*:*:*:*:*:*:*
- cpe:2.3:a:zabbix:zabbix:1.4.6:*:*:*:*:*:*:*
- cpe:2.3:a:zabbix:zabbix:1.8:*:*:*:*:*:*:*
- cpe:2.3:a:zabbix:zabbix:1.8.1:*:*:*:*:*:*:*
- cpe:2.3:a:zabbix:zabbix:1.1:beta7:*:*:*:*:*:*
- cpe:2.3:a:zabbix:zabbix:1.7.4:*:*:*:*:*:*:*
- cpe:2.3:a:zabbix:zabbix:1.1:beta11:*:*:*:*:*:*
- cpe:2.3:a:zabbix:zabbix:1.1.6:*:*:*:*:*:*:*
- cpe:2.3:a:zabbix:zabbix:1.1.7:*:*:*:*:*:*:*
- cpe:2.3:a:zabbix:zabbix:1.1:beta4:*:*:*:*:*:*
- cpe:2.3:a:zabbix:zabbix:1.1:beta9:*:*:*:*:*:*
- cpe:2.3:a:zabbix:zabbix:1.1:*:*:*:*:*:*:*
- cpe:2.3:a:zabbix:zabbix:1.3.3:beta:*:*:*:*:*:*
- cpe:2.3:a:zabbix:zabbix:1.3.4:beta:*:*:*:*:*:*
- cpe:2.3:a:zabbix:zabbix:1.1:beta5:*:*:*:*:*:*
- cpe:2.3:a:zabbix:zabbix:1.5.1:beta:*:*:*:*:*:*
- cpe:2.3:a:zabbix:zabbix:1.5:beta:*:*:*:*:*:*
- cpe:2.3:a:zabbix:zabbix:1.6.4:*:*:*:*:*:*:*
- cpe:2.3:a:zabbix:zabbix:1.6.3:*:*:*:*:*:*:*
- cpe:2.3:a:zabbix:zabbix:1.1:beta10:*:*:*:*:*:*
- cpe:2.3:a:zabbix:zabbix:1.1.1:*:*:*:*:*:*:*
- cpe:2.3:a:zabbix:zabbix:1.3.5:beta:*:*:*:*:*:*
- cpe:2.3:a:zabbix:zabbix:1.1:beta2:*:*:*:*:*:*
- cpe:2.3:a:zabbix:zabbix:1.4.5:*:*:*:*:*:*:*
- cpe:2.3:a:zabbix:zabbix:1.6.2:*:*:*:*:*:*:*
- cpe:2.3:a:zabbix:zabbix:1.6.1:*:*:*:*:*:*:*
- cpe:2.3:a:zabbix:zabbix:1.1:beta8:*:*:*:*:*:*
- cpe:2.3:a:zabbix:zabbix:1.1:beta12:*:*:*:*:*:*
- cpe:2.3:a:zabbix:zabbix:1.3:beta:*:*:*:*:*:*
- cpe:2.3:a:zabbix:zabbix:1.3.1:beta:*:*:*:*:*:*
- cpe:2.3:a:zabbix:zabbix:1.3.2:beta:*:*:*:*:*:*
- cpe:2.3:a:zabbix:zabbix:1.1:beta3:*:*:*:*:*:*
- cpe:2.3:a:zabbix:zabbix:1.1:beta6:*:*:*:*:*:*
- cpe:2.3:a:zabbix:zabbix:1.3.6:beta:*:*:*:*:*:*
- cpe:2.3:a:zabbix:zabbix:1.5.3:beta:*:*:*:*:*:*
- cpe:2.3:a:zabbix:zabbix:1.5.2:beta:*:*:*:*:*:*
- cpe:2.3:a:zabbix:zabbix:1.6.9:*:*:*:*:*:*:*
- cpe:2.3:a:zabbix:zabbix:1.6.5:*:*:*:*:*:*:*
- cpe:2.3:a:zabbix:zabbix:1.3.8:beta:*:*:*:*:*:*
- cpe:2.3:a:zabbix:zabbix:1.3.7:beta:*:*:*:*:*:*
- cpe:2.3:a:zabbix:zabbix:1.6:*:*:*:*:*:*:*
- cpe:2.3:a:zabbix:zabbix:1.5.4:beta:*:*:*:*:*:*
- cpe:2.3:a:zabbix:zabbix:1.8.2:*:*:*:*:*:*:*
- cpe:2.3:a:zabbix:zabbix:1.8.3:rc2:*:*:*:*:*:*
- cpe:2.3:a:zabbix:zabbix:1.8.5:rc1:*:*:*:*:*:*
- cpe:2.3:a:zabbix:zabbix:1.8.4:*:*:*:*:*:*:*
- cpe:2.3:a:zabbix:zabbix:1.8.3:rc3:*:*:*:*:*:*
- cpe:2.3:a:zabbix:zabbix:1.8.4:rc3:*:*:*:*:*:*
- cpe:2.3:a:zabbix:zabbix:1.8.4:rc4:*:*:*:*:*:*
- cpe:2.3:a:zabbix:zabbix:1.8.3:rc1:*:*:*:*:*:*
- cpe:2.3:a:zabbix:zabbix:1.8.3:*:*:*:*:*:*:*
- cpe:2.3:a:zabbix:zabbix:1.8.4:rc1:*:*:*:*:*:*
- cpe:2.3:a:zabbix:zabbix:1.8.4:rc2:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2011-2904
0.37%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 69 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2011-2904
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
4.3
|
MEDIUM | AV:N/AC:M/Au:N/C:N/I:P/A:N |
8.6
|
2.9
|
NIST |
CWE ids for CVE-2011-2904
-
The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.Assigned by: nvd@nist.gov (Primary)
References for CVE-2011-2904
-
https://bugzilla.redhat.com/show_bug.cgi?id=729162
729162 – (CVE-2011-2904, CVE-2011-3263, CVE-2011-3264) CVE-2011-2904 CVE-2011-3263 CVE-2011-3264 zabbix: multiple flaws in zabbix < 1.8.6
-
http://lists.fedoraproject.org/pipermail/package-announce/2011-August/063904.html
[SECURITY] Fedora 14 Update: zabbix-1.8.6-1.fc14
-
http://www.securityfocus.com/bid/49016
ZABBIX 'backurl' Parameter Cross Site Scripting Vulnerability
-
http://www.openwall.com/lists/oss-security/2011/08/08/2
oss-security - CVE request: zabbix XSS flaw
-
https://support.zabbix.com/browse/ZBX-3835
[ZBX-3835] Cross Site Scripting Vulnerability - ZABBIX SUPPORTExploit
-
https://exchange.xforce.ibmcloud.com/vulnerabilities/69025
Zabbix acknow.php cross-site scripting CVE-2011-2904 Vulnerability Report
-
http://www.zabbix.com/rn1.8.6.php
Release Notes for Zabbix 1.8.6Patch
-
http://lists.fedoraproject.org/pipermail/package-announce/2011-August/063884.html
[SECURITY] Fedora 15 Update: zabbix-1.8.6-1.fc15
-
http://www.openwall.com/lists/oss-security/2011/08/09/5
oss-security - Re: CVE request: zabbix XSS flaw
Jump to