An authenticated (non-super) administrator can create a maintenance period with a JavaScript payload that is executed by any user that opens tooltip for that maintenance period in the Host navigator widget. This can allow the attacker to perform unauthorized actions depending on which user opens the tooltip.
Credits
Zabbix wants to thank Daniel Santos (@bananabr) for submitting this report on the HackerOne bug bounty platform.
