New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Reflected XSS in 1.1.27 #1071
Comments
Can you please confirm this against the current develop branch? I can not reproduce using your example. I actually receive a permission denied message. |
Yes we tested this on local version |
This issue was assigned CVE-2017-16785 |
I don't believe you understood me correctly. Please test with the latest develop branch. I believe this problem has already been solved and is a duplicate of another issue that was resolved recently and finally in this issue e219199. Therefore, I will mark unable to reproduce until you are able to attempt to reproduce with the latest develop branch. If you find you can not reproduce, we can make it closed and update the change record since we have the CVE to deal with. Please advise. |
We thought that the latest version. 1.1.27 and it's on github 1.1.28 and the site is still old |
1.1.28 has not been released and that is why it does not appear as a download. It's under active development. 1.2.x is a feature branch for later release. |
We are enhancing the fix to the issue linked below in 1.1.28. Also, per ronytomen, I don't believe you understood me correctly. Please test with the latest develop branch. I believe this problem has already been solved and is a duplicate of another issue that was resolved recently and finally in this issue e219199. Therefore, I will mark unable to reproduce until you are able to attempt to reproduce with the latest develop branch. If you find you can not reproduce, we can make it closed and update the change record since we have the CVE to deal with. Please advise. |
yes in 1.1.28 it's problem fixed |
Thanks for confirming. Marking resolved in changelog and closing. |
I think this is a duplicate of CVE-2017-15194 / issue #1010, or if not, one could consider this a reintroduction of it in commit 054aa82, as discussed in the comments there. |
We (worlak2 and cibvetr2) found Reflected XSS vuln in last version 1.1.27.(For example we found in Google host with last version of cacti)
PoC
1)http://128.65.97.6/host.php/gahv8'-alert(document.domain)-'w6vt7??host_status=-1&host_template_id=-1&site_id=-1&poller_id=-1&rows=-1&filter=&
With regards worlak2 and cibvetr2
The text was updated successfully, but these errors were encountered: