SB2019011620 - Multiple vulnerabilities in Cacti

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2019011620

SB2019011620 - Multiple vulnerabilities in Cacti

Published: January 16, 2019 Updated: August 8, 2020

Security Bulletin ID SB2019011620
Severity
Low
Patch available
YES
Number of vulnerabilities 4
Exploitation vector Remote access
Highest impact Data manipulation

Breakdown by Severity

Low 100%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 4 secuirty vulnerabilities.


1) Cross-site scripting (CVE-ID: CVE-2018-20723)

The vulnerability allows a remote privileged user to read and manipulate data.

A cross-site scripting (XSS) vulnerability exists in color_templates.php in Cacti before 1.2.0 due to lack of escaping of unintended characters in the Name field for a Color.


2) Cross-site scripting (CVE-ID: CVE-2018-20724)

The vulnerability allows a remote privileged user to read and manipulate data.

A cross-site scripting (XSS) vulnerability exists in pollers.php in Cacti before 1.2.0 due to lack of escaping of unintended characters in the Website Hostname for Data Collectors.


3) Cross-site scripting (CVE-ID: CVE-2018-20725)

The vulnerability allows a remote privileged user to read and manipulate data.

A cross-site scripting (XSS) vulnerability exists in graph_templates.php in Cacti before 1.2.0 due to lack of escaping of unintended characters in the Graph Vertical Label.


4) Cross-site scripting (CVE-ID: CVE-2018-20726)

The vulnerability allows a remote authenticated user to read and manipulate data.

A cross-site scripting (XSS) vulnerability exists in host.php (via tree.php) in Cacti before 1.2.0 due to lack of escaping of unintended characters in the Website Hostname field for Devices.


Remediation

Install update from vendor's website.

References