A number of cross-site scripting issues were found in Cacti. A user with console access could use these flaws to perform cross-site scripting attacks against other Cacti users. Original report: http://bugs.cacti.net/view.php?id=2456 Possible patch: http://bugs.cacti.net/file_download.php?file_id=1125&type=bug CVE request: http://seclists.org/oss-sec/2014/q3/190
Created cacti tracking bugs for this issue: Affects: fedora-all [bug 1121467] Affects: epel-all [bug 1121468]
CVE-2014-5025 was assigned to XSS in data_sources.php CVE-2014-5026 was assigned to the below issues: - If you create a Graph Tree with Title: [XSS] - If you create a CDEF with Name: [XSS] - If you create a Data Source with Title: [XSS] you'll see a popup with the text "XSS" if you try any action (Delete, Change data template, Change Host, Enable...) - If you create a Graph with Title: [XSS] - If you create a Data Input Method with Name: [XSS] - If you create a Graph Template with Name: [XSS] - If you create a Host Templates with Name: [XSS]
This CVE Bugzilla entry is for community support informational purposes only as it does not affect a package in a commercially supported Red Hat product. Refer to the dependent bugs for status of those individual community products.