Red Hat Bugzilla – Bug 1470077
CVE-2017-11163 cacti: XSS in aggregate_graphs.php
Last modified: 2017-07-12 11:15:01 EDT
Cross-site scripting (XSS) vulnerability in aggregate_graphs.php in Cacti 1.1.12
allows remote authenticated users to inject arbitrary web script or HTML via
specially crafted HTTP Referer headers, related to the $cancel_url variable.
Created cacti tracking bugs for this issue:
Affects: epel-all [bug 1470078]
Affects: fedora-all [bug 1470079]
There is already another CVE number for this issue: CVE-2017-10970. Please check: https://github.com/Cacti/cacti/issues/838
We have a backported patch for cacti-1.1.2 to fix CVE-2017-10970.
(In reply to Morten Stevens from comment #2)
> There is already another CVE number for this issue: CVE-2017-10970. Please
> check: https://github.com/Cacti/cacti/issues/838
> We have a backported patch for cacti-1.1.2 to fix CVE-2017-10970.
Are you sure that CVE-2017-10970 and CVE-2017-11163 are the same?
It seems to me that they have a different origin (link-php vs aggregate_graphs.php). As long as there are two CVEs assigned here we need to treat https://github.com/Cacti/cacti/issues/847 and https://github.com/Cacti/cacti/issues/838 as different issues.
If you feel confident that these issues are the same, you should contact mitre and open a dispute via https://cveform.mitre.org/
Oh, I see what you mean now :) According to upstream this second issue was also fixed with the patch for the first one.
We can close this bug then. As per upstream recommendation, please try to update cacti to 1.1.3 when it's available. Thanks!
Thank you. Maybe you can open a new BZ for CVE-2017-10970?
(In reply to Morten Stevens from comment #5)
> Thank you. Maybe you can open a new BZ for CVE-2017-10970?
Flaw bug and trackers for CVE-2017-10970 are now live, feel free to change them as you want.