CVE-2010-2790

NameCVE-2010-2790
DescriptionMultiple cross-site scripting (XSS) vulnerabilities in the formatQuery function in frontends/php/include/classes/class.curl.php in Zabbix before 1.8.3rc1 allow remote attackers to inject arbitrary web script or HTML via the (1) filter_set, (2) show_details, (3) filter_rst, or (4) txt_select parameters to the triggers page (tr_status.php). NOTE: some of these details are obtained from third party information.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
NVD severitymedium
Debian Bugs594304

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
zabbix (PTS)stretch1:3.0.7+dfsg-3fixed
stretch (security)1:3.0.32+dfsg-0+deb9u1fixed
buster1:4.0.4+dfsg-1fixed
bullseye1:5.0.8+dfsg-1fixed
bookworm, sid1:5.0.14+dfsg-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
zabbixsourcesqueeze1:1.8.2-1squeeze1
zabbixsource(unstable)1:1.8.3-1594304

Notes

[lenny] - zabbix <no-dsa> (Minor issue)

Search for package or bug name: Reporting problems