Main Vulnerability Database Vulnerabilities #VU36235

#VU36235 Cross-site scripting in Cacti - CVE-2018-20726

Published: January 16, 2019 / Updated: August 8, 2020

Vulnerability identifier: #VU36235

Vulnerability risk: Low

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear

CVE-ID: CVE-2018-20726

CWE-ID: CWE-79

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
Cacti

Software vendor:
The Cacti Group, Inc.

Description

The vulnerability allows a remote authenticated user to read and manipulate data.

A cross-site scripting (XSS) vulnerability exists in host.php (via tree.php) in Cacti before 1.2.0 due to lack of escaping of unintended characters in the Website Hostname field for Devices.

Remediation

Install update from vendor's website.

External links

http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00001.html
http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00005.html
http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00042.html
http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00048.html
https://github.com/Cacti/cacti/blob/develop/CHANGELOG
https://github.com/Cacti/cacti/commit/80c2a88fb2afb93f87703ba4641f9970478c102d
https://github.com/Cacti/cacti/issues/2213

#VU36235 Cross-site scripting in Cacti - CVE-2018-20726

Description

Remediation

External links

Please verify you're human