CVE-2018-10060 — Cross-site Scripting in Cacti

CWE-79 — Cross-site Scripting4 documents4 sources

Severity

5.4MEDIUMNVD

EPSS

0.7%

top 28.72%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Cacti Debian Cacti Debian Linux

Timeline

PublishedApr 12

Latest updateMay 13

Description

Cacti before 1.1.37 has XSS because it does not properly reject unintended characters, related to use of the sanitize_uri function in lib/functions.php.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:NExploitability: 2.3 | Impact: 2.7

Affected Packages3 packages

▶debiandebian/cacti< cacti 1.1.37+ds1-1 (bookworm)

▶Debiancacti/cacti< 1.1.37+ds1-1+3

▶NVDcacti/cacti1.1.36

Also affects: Debian Linux 9.0

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

GHSA

GHSA-qw2p-jwcj-4m42: Cacti before 1↗2022-05-13

▶

OSV

CVE-2018-10060: Cacti before 1↗2018-04-12

▶

📋Vendor Advisories

Debian

CVE-2018-10060: cacti - Cacti before 1.1.37 has XSS because it does not properly reject unintended chara...↗2018

▶