CVE-2008-0783
published 2008-02-14CVE-2008-0783: Multiple cross-site scripting (XSS) vulnerabilities in Cacti 0.8.7 before 0.8.7b and 0.8.6 before 0.8.6k allow remote attackers to inject arbitrary web script…
PriorityP421medium4.3CVSS 2.0
AVNACMAuNCNIPAN
EXPLOIT
EPSS
5.25%
91.5th percentile
Multiple cross-site scripting (XSS) vulnerabilities in Cacti 0.8.7 before 0.8.7b and 0.8.6 before 0.8.6k allow remote attackers to inject arbitrary web script or HTML via (1) the view_type parameter to graph.php; (2) the filter parameter to graph_view.php; (3) the action parameter to the draw_navigation_text function in lib/functions.php, reachable through index.php (aka the login page) or data_input.php; or (4) the login_username parameter to index.php.
Affected
21 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| cacti | cacti | — | — |
| cacti | cacti | — | — |
| cacti | cacti | — | — |
| cacti | cacti | — | — |
| cacti | cacti | — | — |
| cacti | cacti | — | — |
| cacti | cacti | — | — |
| cacti | cacti | — | — |
| cacti | cacti | — | — |
| cacti | cacti | — | — |
| cacti | cacti | — | — |
| cacti | cacti | — | — |
| cacti | cacti | — | — |
| cacti | cacti | — | — |
| cacti | cacti | — | — |
| cacti | cacti | — | — |
| cacti | cacti | >= 0 < 0.8.7b-1 | 0.8.7b-1 |
| cacti | cacti | >= 0 < 0.8.7b-1 | 0.8.7b-1 |
| cacti | cacti | >= 0 < 0.8.7b-1 | 0.8.7b-1 |
| cacti | cacti | >= 0 < 0.8.7b-1 | 0.8.7b-1 |
| debian | cacti | < cacti 0.8.7b-1 (bookworm) | cacti 0.8.7b-1 (bookworm) |
CVSS provenance
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:P/A:N
osv4.3MEDIUM
vendor_debian4.3LOW
vendor_redhat4.3MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-4563-34p5-3rhw: Multiple cross-site scripting (XSS) vulnerabilities in Cacti 0
ghsa_unreviewed·2022-05-01
CVE-2008-0783 [MEDIUM] CWE-79 GHSA-4563-34p5-3rhw: Multiple cross-site scripting (XSS) vulnerabilities in Cacti 0
Multiple cross-site scripting (XSS) vulnerabilities in Cacti 0.8.7 before 0.8.7b and 0.8.6 before 0.8.6k allow remote attackers to inject arbitrary web script or HTML via (1) the view_type parameter to graph.php; (2) the filter parameter to graph_view.php; (3) the action parameter to the draw_navigation_text function in lib/functions.php, reachable through index.php (aka the login page) or data_input.php; or (4) the login_username parameter to index.php.
OSV
CVE-2008-0783: Multiple cross-site scripting (XSS) vulnerabilities in Cacti 0
osv·2008-02-14·CVSS 4.3
CVE-2008-0783 [MEDIUM] CVE-2008-0783: Multiple cross-site scripting (XSS) vulnerabilities in Cacti 0
Multiple cross-site scripting (XSS) vulnerabilities in Cacti 0.8.7 before 0.8.7b and 0.8.6 before 0.8.6k allow remote attackers to inject arbitrary web script or HTML via (1) the view_type parameter to graph.php; (2) the filter parameter to graph_view.php; (3) the action parameter to the draw_navigation_text function in lib/functions.php, reachable through index.php (aka the login page) or data_input.php; or (4) the login_username parameter to index.php.
Debian
CVE-2008-0783: cacti - Multiple cross-site scripting (XSS) vulnerabilities in Cacti 0.8.7 before 0.8.7b...
vendor_debian·2008·CVSS 4.3
CVE-2008-0783 [MEDIUM] CVE-2008-0783: cacti - Multiple cross-site scripting (XSS) vulnerabilities in Cacti 0.8.7 before 0.8.7b...
Multiple cross-site scripting (XSS) vulnerabilities in Cacti 0.8.7 before 0.8.7b and 0.8.6 before 0.8.6k allow remote attackers to inject arbitrary web script or HTML via (1) the view_type parameter to graph.php; (2) the filter parameter to graph_view.php; (3) the action parameter to the draw_navigation_text function in lib/functions.php, reachable through index.php (aka the login page) or data_input.php; or (4) the login_username parameter to index.php.
Scope: local
bookworm: resolved (fixed in 0.8.7b-1)
bullseye: resolved (fixed in 0.8.7b-1)
forky: resolved (fixed in 0.8.7b-1)
sid: resolved (fixed in 0.8.7b-1)
trixie: resolved (fixed in 0.8.7b-1)
Red Hat
cacti: multiple input saintization issues (CVE-2008-0783, CVE-2008-0784, CVE-2008-0785, CVE-2008-0786)
vendor_redhat·CVSS 4.3
CVE-2008-0785 [MEDIUM] cacti: multiple input saintization issues (CVE-2008-0783, CVE-2008-0784, CVE-2008-0785, CVE-2008-0786)
cacti: multiple input saintization issues (CVE-2008-0783, CVE-2008-0784, CVE-2008-0785, CVE-2008-0786)
Multiple SQL injection vulnerabilities in Cacti 0.8.7 before 0.8.7b and 0.8.6 before 0.8.6k allow remote authenticated users to execute arbitrary SQL commands via the (1) graph_list parameter to graph_view.php, (2) leaf_id and id parameters to tree.php, (3) local_graph_id parameter to graph_xport.php, and (4) login_username parameter to index.php/login.
No detection rules found.
Exploit-DB
Cacti 0.8.7 - 'graph_view.php?filter' Cross-Site Scripting
exploitdb·2008-02-12
CVE-2008-0783 Cacti 0.8.7 - 'graph_view.php?filter' Cross-Site Scripting
Cacti 0.8.7 - 'graph_view.php?filter' Cross-Site Scripting
---
source: https://www.securityfocus.com/bid/27749/info
Cacti is prone to multiple unspecified input-validation vulnerabilities, including:
- Multiple cross-site scripting vulnerabilities
- Multiple SQL-injection vulnerabilities
- An HTTP response-splitting vulnerability.
Attackers may exploit these vulnerabilities to influence or misrepresent how web content is served, cached, or interpreted, to compromise the application, to access or modify data, to exploit vulnerabilities in the underlying database, or to execute arbitrary script code in the browser of an unsuspecting user.
These issues affect Cacti 0.8.7a and prior versions.
http://www.example.com/cacti/graph_view.php?action=list&page=1&host_id=0&graph_template_id=8&fi
Exploit-DB
Cacti 0.8.7 - 'graph.php?view_type' Cross-Site Scripting
exploitdb·2008-02-12
CVE-2008-0783 Cacti 0.8.7 - 'graph.php?view_type' Cross-Site Scripting
Cacti 0.8.7 - 'graph.php?view_type' Cross-Site Scripting
---
source: https://www.securityfocus.com/bid/27749/info
Cacti is prone to multiple unspecified input-validation vulnerabilities, including:
- Multiple cross-site scripting vulnerabilities
- Multiple SQL-injection vulnerabilities
- An HTTP response-splitting vulnerability.
Attackers may exploit these vulnerabilities to influence or misrepresent how web content is served, cached, or interpreted, to compromise the application, to access or modify data, to exploit vulnerabilities in the underlying database, or to execute arbitrary script code in the browser of an unsuspecting user.
These issues affect Cacti 0.8.7a and prior versions.
http://www.example.com/cacti/graph.php?local_graph_id=1&rra_id=34&action=properties&view_type=tok
Bugzilla
CVE-2009-0033 CVE-2009-0580 CVE-2009-0783 CVE-2008-5515 CVE-2009-0781 Multiple tomcat5 vulnerabilities [Fedora all]
bugzilla·2009-11-09·CVSS 5.0
CVE-2009-0033 [MEDIUM] CVE-2009-0033 CVE-2009-0580 CVE-2009-0783 CVE-2008-5515 CVE-2009-0781 Multiple tomcat5 vulnerabilities [Fedora all]
CVE-2009-0033 CVE-2009-0580 CVE-2009-0783 CVE-2008-5515 CVE-2009-0781 Multiple tomcat5 vulnerabilities [Fedora all]
This is an automatically created tracking bug! It was created to ensure that one or more security vulnerabilities are fixed in all affected branches.
You should *not* refer to this bug publicly, as it is a private "Fedora Project Contributors" bug.
For comments that are specific to the vulnerability please use bugs filed against "Security Response" product referenced in "Blocks" field.
bug #493381: CVE-2009-0033 tomcat6 Denial-Of-Service with AJP connection
bug #503978: CVE-2009-0580 tomcat6 Information disclosure in authentication classes
bug #504153: CVE-2009-0783 tomcat XML parser information disclosure
bug #504753: CVE-2008-5515 tomcat request dispatcher information d
Bugzilla
cacti: multiple input saintization issues (CVE-2008-0783, CVE-2008-0784, CVE-2008-0785, CVE-2008-0786)
bugzilla·2008-02-14·CVSS 4.3
CVE-2008-0783 [MEDIUM] cacti: multiple input saintization issues (CVE-2008-0783, CVE-2008-0784, CVE-2008-0785, CVE-2008-0786)
cacti: multiple input saintization issues (CVE-2008-0783, CVE-2008-0784, CVE-2008-0785, CVE-2008-0786)
Description of problem:
Lack of input saintization can reportedly [1] [2] compose XSS, SQL injection or
HTTP response splitting attack vector.
[1] http://www.cacti.net/release_notes_0_8_7b.php
[2] http://secunia.com/advisories/28872/
Discussion:
CVE name/names was/were requested
---
cacti-0.8.7b-1.fc8 has been submitted as an update for Fedora 8
---
*** Bug 432473 has been marked as a duplicate of this bug. ***
---
cacti-0.8.7b-1.fc8 has been pushed to the Fedora 8 stable repository. If problems still persist, please make note of it in this bug report.
---
cacti-0.8.7b-1.fc7 has been pushed to the Fedora 7 stable repository. If problems still persist, please make note of it
http://bugs.cacti.net/view.php?id=1245http://lists.opensuse.org/opensuse-security-announce/2008-03/msg00001.htmlhttp://secunia.com/advisories/28872http://secunia.com/advisories/28976http://secunia.com/advisories/29242http://secunia.com/advisories/29274http://secunia.com/advisories/30045http://security.gentoo.org/glsa/glsa-200803-18.xmlhttp://securityreason.com/securityalert/3657http://www.cacti.net/release_notes_0_8_7b.phphttp://www.debian.org/security/2008/dsa-1569http://www.mandriva.com/security/advisories?name=MDVSA-2008:052http://www.securityfocus.com/archive/1/488013/100/0/threadedhttp://www.securityfocus.com/archive/1/488018/100/0/threadedhttp://www.securityfocus.com/bid/27749http://www.securityfocus.com/bid/34991http://www.securitytracker.com/id?1019414http://www.vupen.com/english/advisories/2008/0540https://bugzilla.redhat.com/show_bug.cgi?id=432758https://exchange.xforce.ibmcloud.com/vulnerabilities/50575https://www.redhat.com/archives/fedora-package-announce/2008-February/msg00570.htmlhttps://www.redhat.com/archives/fedora-package-announce/2008-February/msg00593.htmlhttp://bugs.cacti.net/view.php?id=1245http://lists.opensuse.org/opensuse-security-announce/2008-03/msg00001.htmlhttp://secunia.com/advisories/28872http://secunia.com/advisories/28976http://secunia.com/advisories/29242http://secunia.com/advisories/29274http://secunia.com/advisories/30045http://security.gentoo.org/glsa/glsa-200803-18.xmlhttp://securityreason.com/securityalert/3657http://www.cacti.net/release_notes_0_8_7b.phphttp://www.debian.org/security/2008/dsa-1569http://www.mandriva.com/security/advisories?name=MDVSA-2008:052http://www.securityfocus.com/archive/1/488013/100/0/threadedhttp://www.securityfocus.com/archive/1/488018/100/0/threadedhttp://www.securityfocus.com/bid/27749http://www.securityfocus.com/bid/34991http://www.securitytracker.com/id?1019414http://www.vupen.com/english/advisories/2008/0540https://bugzilla.redhat.com/show_bug.cgi?id=432758https://exchange.xforce.ibmcloud.com/vulnerabilities/50575https://www.redhat.com/archives/fedora-package-announce/2008-February/msg00570.htmlhttps://www.redhat.com/archives/fedora-package-announce/2008-February/msg00593.html
2008-02-14
Published