There are multiple reflected xss vulnerabilities in frontend.
POC is the following maliciously crafted link ("zabbix.internal" should be replaced with your domain name):
This link leads to a page with item list. Each item name contains onclick handler with injected script.
Clicking on any of the item names causes script execution:
Another example would be the following link:
Click on "Cancel" button will cause execution of injected script.