popup.php in Zabbix before 1.8.7 allows remote attackers to read the contents of arbitrary database tables via a modified srctbl parameter.
{ "urgency": "not yet assigned" }