Bug 1470077 - (CVE-2017-11163) CVE-2017-11163 cacti: XSS in aggregate_graphs.php
CVE-2017-11163 cacti: XSS in aggregate_graphs.php
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
: Security
Depends On: 1470078 1470079
  Show dependency treegraph
Reported: 2017-07-12 07:33 EDT by Andrej Nemec
Modified: 2017-07-12 11:15 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2017-07-12 09:15:14 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Andrej Nemec 2017-07-12 07:33:59 EDT
Cross-site scripting (XSS) vulnerability in aggregate_graphs.php in Cacti 1.1.12
allows remote authenticated users to inject arbitrary web script or HTML via
specially crafted HTTP Referer headers, related to the $cancel_url variable.

Upstream issue:

Comment 1 Andrej Nemec 2017-07-12 07:34:19 EDT
Created cacti tracking bugs for this issue:

Affects: epel-all [bug 1470078]
Affects: fedora-all [bug 1470079]
Comment 3 Andrej Nemec 2017-07-12 09:01:13 EDT
(In reply to Morten Stevens from comment #2)
> There is already another CVE number for this issue: CVE-2017-10970. Please
> check: https://github.com/Cacti/cacti/issues/838
> We have a backported patch for cacti-1.1.2 to fix CVE-2017-10970.
> See:
> https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-9098af995f
> https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-d13b9e8413
> https://bodhi.fedoraproject.org/updates/FEDORA-2017-3db2a34403
> https://bodhi.fedoraproject.org/updates/FEDORA-2017-f8e32f160e
> https://bodhi.fedoraproject.org/updates/FEDORA-2017-7ab0179693

Are you sure that CVE-2017-10970 and CVE-2017-11163 are the same?

It seems to me that they have a different origin (link-php vs aggregate_graphs.php). As long as there are two CVEs assigned here we need to treat https://github.com/Cacti/cacti/issues/847 and https://github.com/Cacti/cacti/issues/838 as different issues.

If you feel confident that these issues are the same, you should contact mitre and open a dispute via https://cveform.mitre.org/
Comment 4 Andrej Nemec 2017-07-12 09:15:14 EDT
Oh, I see what you mean now :) According to upstream this second issue was also fixed with the patch for the first one.

We can close this bug then. As per upstream recommendation, please try to update cacti to 1.1.3 when it's available. Thanks!
Comment 5 Morten Stevens 2017-07-12 11:05:12 EDT

Thank you. Maybe you can open a new BZ for CVE-2017-10970?
Comment 6 Andrej Nemec 2017-07-12 11:15:01 EDT
(In reply to Morten Stevens from comment #5)
> @Andrej
> Thank you. Maybe you can open a new BZ for CVE-2017-10970?

Flaw bug and trackers for CVE-2017-10970 are now live, feel free to change them as you want.

Note You need to log in before you can comment on or make changes to this bug.