CVE-2018-10061 — Cross-site Scripting in Cacti

CWE-79 — Cross-site Scripting4 documents4 sources

Severity

5.4MEDIUMNVD

EPSS

1.0%

top 23.54%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Cacti Debian Cacti Debian Linux

Timeline

PublishedApr 12

Latest updateMay 13

Description

Cacti before 1.1.37 has XSS because it makes certain htmlspecialchars calls without the ENT_QUOTES flag (these calls occur when the html_escape function in lib/html.php is not used).

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:NExploitability: 2.3 | Impact: 2.7

Affected Packages3 packages

▶debiandebian/cacti< cacti 1.1.37+ds1-1 (bookworm)

▶Debiancacti/cacti< 1.1.37+ds1-1+3

▶NVDcacti/cacti1.1.36

Also affects: Debian Linux 9.0

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

GHSA

GHSA-gj65-6229-2cwr: Cacti before 1↗2022-05-13

▶

OSV

CVE-2018-10061: Cacti before 1↗2018-04-12

▶

📋Vendor Advisories

Debian

CVE-2018-10061: cacti - Cacti before 1.1.37 has XSS because it makes certain htmlspecialchars calls with...↗2018

▶