A file "popup_bitem.php" allows to pass argument "itemid" unsanitised.
Fixed in pre-2.0.2 r28981 and pre-2.1.0 (beta) r28982.
This issue also affect to Zabbix 1.8.x.
I could make a exploit for 1.8.x by using example from following exploit. It succeeded to get user's session id.
I made a patch for Zabbix 1.8.x.
Could you apply my patch to 1.8.x branch?
dev branch: svn://svn.zabbix.com/branches/dev/ZBX-5348
this fix should be used for 2.0 and trunk too.
Also fixed in pre-1.8.15 r29282
I checked pre-1.8.15 r29282 works good.
My exploit for 1.8.x doesn't get session id any more.