Common Vulnerabilities and Exposures assigned an identifier CVE-2011-4674 to the following vulnerability: Name: CVE-2011-4674 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4674 Assigned: 20111202 Reference: http://www.exploit-db.com/exploits/18155 Reference: https://support.zabbix.com/browse/ZBX-4385 Reference: http://www.securityfocus.com/bid/50803 Reference: http://xforce.iss.net/xforce/xfdb/71479 SQL injection vulnerability in popup.php in Zabbix 1.8.3 and 1.8.4, and possibly other versions before 1.8.9, allows remote attackers to execute arbitrary SQL commands via the only_hostid parameter. The upstream issue tracker indicates this is fixed in upstream 1.8.9.
Took a quick look at the code in what we have in EPEL4/5 (1.4.7) and it doesn't look like this issue should exist in the older versions.
Created zabbix tracking bugs for this issue Affects: fedora-all [bug 759595] Affects: epel-6 [bug 759596]
zabbix-1.8.9-1.fc16 has been pushed to the Fedora 16 stable repository. If problems still persist, please make note of it in this bug report.
zabbix-1.8.9-1.fc15 has been pushed to the Fedora 15 stable repository. If problems still persist, please make note of it in this bug report.
zabbix-1.8.9-1.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report.
That's a leftover; closing!