CVE-2018-20726 — Cross-site Scripting in Cacti

CWE-79 — Cross-site Scripting6 documents5 sources

Severity

5.4MEDIUMNVD

EPSS

0.5%

top 33.57%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Cacti Debian Cacti

Timeline

PublishedJan 16

Latest updateMay 13

Description

A cross-site scripting (XSS) vulnerability exists in host.php (via tree.php) in Cacti before 1.2.0 due to lack of escaping of unintended characters in the Website Hostname field for Devices.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:NExploitability: 2.3 | Impact: 2.7

Affected Packages3 packages

▶NVDcacti/cacti< 1.2.0

▶debiandebian/cacti< cacti 1.2.1+ds1-1 (bookworm)

▶Debiancacti/cacti< 1.2.1+ds1-1+3

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

GHSA

GHSA-39rw-hw3x-2qp8: A cross-site scripting (XSS) vulnerability exists in host↗2022-05-13

▶

OSV

CVE-2018-20726: A cross-site scripting (XSS) vulnerability exists in host↗2019-01-16

▶

📋Vendor Advisories

Debian

CVE-2018-20726: cacti - A cross-site scripting (XSS) vulnerability exists in host.php (via tree.php) in ...↗2018

▶

💬Community

Bugzilla

CVE-2018-20724 CVE-2018-20725 CVE-2018-20726 CVE-2018-20723 cacti: Multiple cross-site scripting vulnerabilities fixed in 1.2.0 version↗2019-01-17

▶

Bugzilla

CVE-2018-20723 CVE-2018-20724 CVE-2018-20725 CVE-2018-20726 cacti: Multiple cross-site scripting vulnerabilities fixed in 1.2.0 version [epel-all]↗2019-01-17

▶