Bug 1470077 (CVE-2017-11163) - CVE-2017-11163 cacti: XSS in aggregate_graphs.php
Summary: CVE-2017-11163 cacti: XSS in aggregate_graphs.php
Keywords:
Status: CLOSED NOTABUG
Alias: CVE-2017-11163
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1470078 1470079
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-07-12 11:33 UTC by Andrej Nemec
Modified: 2019-09-29 14:15 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2017-07-12 13:15:14 UTC
Embargoed:

Attachments (Terms of Use)

Description Andrej Nemec 2017-07-12 11:33:59 UTC 
Cross-site scripting (XSS) vulnerability in aggregate_graphs.php in Cacti 1.1.12
allows remote authenticated users to inject arbitrary web script or HTML via
specially crafted HTTP Referer headers, related to the $cancel_url variable.

Upstream issue:

https://github.com/Cacti/cacti/issues/847
Comment 1 Andrej Nemec 2017-07-12 11:34:19 UTC 
Created cacti tracking bugs for this issue:

Affects: epel-all [bug 1470078]
Affects: fedora-all [bug 1470079]
Comment 2 Morten Stevens 2017-07-12 12:48:15 UTC 
There is already another CVE number for this issue: CVE-2017-10970. Please check: https://github.com/Cacti/cacti/issues/838

We have a backported patch for cacti-1.1.2 to fix CVE-2017-10970.

See:
https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-9098af995f
https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-d13b9e8413
https://bodhi.fedoraproject.org/updates/FEDORA-2017-3db2a34403
https://bodhi.fedoraproject.org/updates/FEDORA-2017-f8e32f160e
https://bodhi.fedoraproject.org/updates/FEDORA-2017-7ab0179693
Comment 3 Andrej Nemec 2017-07-12 13:01:13 UTC 
(In reply to Morten Stevens from comment #2)
> There is already another CVE number for this issue: CVE-2017-10970. Please
> check: https://github.com/Cacti/cacti/issues/838
> 
> We have a backported patch for cacti-1.1.2 to fix CVE-2017-10970.
> 
> See:
> https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-9098af995f
> https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-d13b9e8413
> https://bodhi.fedoraproject.org/updates/FEDORA-2017-3db2a34403
> https://bodhi.fedoraproject.org/updates/FEDORA-2017-f8e32f160e
> https://bodhi.fedoraproject.org/updates/FEDORA-2017-7ab0179693

Are you sure that CVE-2017-10970 and CVE-2017-11163 are the same?

It seems to me that they have a different origin (link-php vs aggregate_graphs.php). As long as there are two CVEs assigned here we need to treat https://github.com/Cacti/cacti/issues/847 and https://github.com/Cacti/cacti/issues/838 as different issues.

If you feel confident that these issues are the same, you should contact mitre and open a dispute via https://cveform.mitre.org/
Comment 4 Andrej Nemec 2017-07-12 13:15:14 UTC 
Oh, I see what you mean now :) According to upstream this second issue was also fixed with the patch for the first one.

We can close this bug then. As per upstream recommendation, please try to update cacti to 1.1.3 when it's available. Thanks!
Comment 5 Morten Stevens 2017-07-12 15:05:12 UTC 
@Andrej

Thank you. Maybe you can open a new BZ for CVE-2017-10970?
Comment 6 Andrej Nemec 2017-07-12 15:15:01 UTC 
(In reply to Morten Stevens from comment #5)
> @Andrej
> 
> Thank you. Maybe you can open a new BZ for CVE-2017-10970?

Flaw bug and trackers for CVE-2017-10970 are now live, feel free to change them as you want.
Note You need to log in before you can comment on or make changes to this bug.