Cacti 1.2.8 has stored XSS in data_sources.php, color_templates_item.php, graphs.php, graph_items.php, lib/api_automation.php, user_admin.php, and user_group_admin.php, as demonstrated by the description parameter in data_sources.php (a raw string from the database that is displayed by $header to trigger the XSS).
2020-01-16T04:15:11.697
2024-11-21T05:36:38.350
Modified
CVSSv3.1: 6.1 (MEDIUM)
AV:N/AC:M/Au:N/C:N/I:P/A:N
8.6
2.9
| Type | Vendor | Product | Version/Range | Vulnerable? |
|---|---|---|---|---|
| Application | cacti | cacti | < 1.2.9 | Yes |
| Operating System | debian | debian_linux | 8.0 | Yes |
| Operating System | debian | debian_linux | 9.0 | Yes |
| Application | opensuse | backports_sle | 15.0 | Yes |
| Operating System | opensuse | leap | 15.1 | Yes |
| Application | suse | package_hub | - | Yes |
| Operating System | suse | linux_enterprise | 12.0 | No |
| Application | fedoraproject | extra_packages_for_enterprise_linux | 7.0 | Yes |
| Application | fedoraproject | extra_packages_for_enterprise_linux | 8.0 | Yes |
| Application | fedoraproject | extra_packages_for_enterprise_linux | 9.0 | Yes |
| Operating System | fedoraproject | fedora | 30 | Yes |
| Operating System | fedoraproject | fedora | 31 | Yes |