CVE-2018-10059 — Cross-site Scripting in Cacti

CWE-79 — Cross-site Scripting4 documents4 sources

Severity

5.4MEDIUMNVD

EPSS

0.3%

top 47.84%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Cacti Debian Cacti

Timeline

PublishedApr 12

Latest updateMay 14

Description

Cacti before 1.1.37 has XSS because the get_current_page function in lib/functions.php relies on $_SERVER['PHP_SELF'] instead of $_SERVER['SCRIPT_NAME'] to determine a page name.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:NExploitability: 2.3 | Impact: 2.7

Affected Packages3 packages

▶debiandebian/cacti< cacti 1.1.37+ds1-1 (bookworm)

▶Debiancacti/cacti< 1.1.37+ds1-1+3

▶NVDcacti/cacti1.1.36

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

GHSA

GHSA-v3j4-242x-4vhx: Cacti before 1↗2022-05-14

▶

OSV

CVE-2018-10059: Cacti before 1↗2018-04-12

▶

📋Vendor Advisories

Debian

CVE-2018-10059: cacti - Cacti before 1.1.37 has XSS because the get_current_page function in lib/functio...↗2018

▶