You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
If any of the above Cacti Graph objects have a title with an stored XSS script value, it can be executed during Cacti's Callback process. This can lead to XSS issues in Cacti.
To Reproduce
Steps to reproduce the behavior:
Save an object above with a title of <script>alert('something');<?script>
Goto any Cacti page that includes one of these object callbacks
Search on something
See error
Expected behavior
Less bugs in Cacti!
The text was updated successfully, but these errors were encountered:
#4578, #4574
-security#4576: Stored XSS Issue in Cacti Device, Graph, Graph Template, and Graph Items callbacks
-security#4579: Cacti account lockout policies are not properly applied to LDAP and Domain Users
-issue#4573: The Cacti permission system does not scale to very large installations
-issue#4575: When you delete a user, their 'remember me' cookie data is not automatically removed
-issue#4576: Stored XSS Issue in Cacti Device, Graph, Graph Template, and Graph Items callbacks
-issue#4577: Cacti allows you to disable the currently logged in administrator disabling the user
-issue#4578: The Cacti login algorithm is complicated to understand due to too much strait line code
-feature#4574: Cacti needs some additional permission methods for larger installations
This change properly documents the file lib/auth.php using phpDocument format, and performed multiple sanity and readability changes such as the renaming of variables commonly used in multiple functions.
The the restructuring of the three authentication files:
- auth_login.php
- include/auth.php
- lib/auth.php
Makes the code more readable, it's not a complete solution, however, it is much easier to follow now.
netniV
changed the title
Stored XSS Issue in Cacti Device, Graph, Graph Template, and Graph Items callbacks
Device, Graph, Graph Template, and Graph Items may be vulnerable to XSS issues
Apr 3, 2022
Describe the bug
If any of the above Cacti Graph objects have a title with an stored XSS script value, it can be executed during Cacti's Callback process. This can lead to XSS issues in Cacti.
To Reproduce
Steps to reproduce the behavior:
Save an object above with a title of
<script>alert('something');<?script>
Goto any Cacti page that includes one of these object callbacks
Search on something
See error
Expected behavior
Less bugs in Cacti!
The text was updated successfully, but these errors were encountered: