Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Cross-site scripting (XSS) vulnerability in link.php in Cacti 1.1.12 #838

Closed
kimiizhang opened this issue Jul 5, 2017 · 5 comments
Closed

Cross-site scripting (XSS) vulnerability in link.php in Cacti 1.1.12 #838

kimiizhang opened this issue Jul 5, 2017 · 5 comments

Comments

@kimiizhang
Copy link

kimiizhang commented Jul 5, 2017
edited
Loading

By xiaotian.wang@DBAppSecurity.com.cn

Cross-site scripting (XSS) vulnerability in link.php in Cacti 1.1.12 allows remote anonymous users to inject arbitrary web script or HTML via the id parameter.

eg: http://192.168.1.206/cacti/link.php?id=1"</td><script>alert(/cacti/)</script>

image
cigamit added a commit that referenced this issue Jul 5, 2017
@cigamit
Resolving Issue #838
3381cba 
Cross-site Scripting (XSS) issue with link.php
@cigamit
Copy link
Member

cigamit commented Jul 5, 2017

Resolved. Thanks for reporting.

@cigamit cigamit closed this as completed Jul 5, 2017
@paulgevers
Copy link
Contributor

@cigamit just in case you want to mention it in the changelog, this issue got an CVE assigned: CVE-2017-10970

@cigamit
Copy link
Member

cigamit commented Jul 7, 2017

Updated CHANGELOG. Thanks Paul!

@cigamit cigamit mentioned this issue Jul 10, 2017
Closed
@dbaio
Copy link

dbaio commented Jul 16, 2017

Hi.
This security issue affects only 1.1.12? Or other versions as well?
Thank you

@paulgevers
Copy link
Contributor

@dbaio: We believe the issue was introduced in commit 11e7294 which makes all releases from 1.0.0 up to and including 1.1.12 susceptible.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Jun 30, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@cigamit @dbaio @paulgevers @kimiizhang