CVE-2019-11025 — Cross-site Scripting in Cacti

CWE-79 — Cross-site Scripting7 documents5 sources

Severity

5.4MEDIUMNVD

EPSS

0.6%

top 29.43%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Cacti Debian Cacti Debian Linux

Timeline

PublishedApr 8

Latest updateMay 13

Description

In clearFilter() in utilities.php in Cacti before 1.2.3, no escaping occurs before printing out the value of the SNMP community string (SNMP Options) in the View poller cache, leading to XSS.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:NExploitability: 2.3 | Impact: 2.7

Affected Packages3 packages

▶NVDcacti/cacti< 1.2.3

▶debiandebian/cacti< cacti 1.2.2+ds1-2 (bookworm)

▶Debiancacti/cacti< 1.2.2+ds1-2+3

Also affects: Debian Linux 8.0, 9.0

🔴Vulnerability Details

GHSA

GHSA-p4p8-h9wq-h334: In clearFilter() in utilities↗2022-05-13

▶

OSV

CVE-2019-11025: In clearFilter() in utilities↗2019-04-08

▶

📋Vendor Advisories

Debian

CVE-2019-11025: cacti - In clearFilter() in utilities.php in Cacti before 1.2.3, no escaping occurs befo...↗2019

▶

💬Community

Bugzilla

CVE-2019-11025 cacti: XSS vulnerability in function clearFilter() in utilities.php [fedora-all]↗2019-04-15

▶

Bugzilla

CVE-2019-11025 cacti: XSS vulnerability in function clearFilter() in utilities.php [epel-all]↗2019-04-15

▶

Bugzilla

CVE-2019-11025 cacti: XSS vulnerability in function clearFilter() in utilities.php↗2019-04-15

▶