Cross-site scripting (XSS) vulnerability in aggregate_graphs.php in Cacti 1.1.12 allows remote authenticated users to inject arbitrary web script or HTML via specially crafted HTTP Referer headers, related to the $cancel_url variable. Upstream issue: https://github.com/Cacti/cacti/issues/847
Created cacti tracking bugs for this issue: Affects: epel-all [bug 1470078] Affects: fedora-all [bug 1470079]
There is already another CVE number for this issue: CVE-2017-10970. Please check: https://github.com/Cacti/cacti/issues/838 We have a backported patch for cacti-1.1.2 to fix CVE-2017-10970. See: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-9098af995f https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-d13b9e8413 https://bodhi.fedoraproject.org/updates/FEDORA-2017-3db2a34403 https://bodhi.fedoraproject.org/updates/FEDORA-2017-f8e32f160e https://bodhi.fedoraproject.org/updates/FEDORA-2017-7ab0179693
(In reply to Morten Stevens from comment #2) > There is already another CVE number for this issue: CVE-2017-10970. Please > check: https://github.com/Cacti/cacti/issues/838 > > We have a backported patch for cacti-1.1.2 to fix CVE-2017-10970. > > See: > https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-9098af995f > https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-d13b9e8413 > https://bodhi.fedoraproject.org/updates/FEDORA-2017-3db2a34403 > https://bodhi.fedoraproject.org/updates/FEDORA-2017-f8e32f160e > https://bodhi.fedoraproject.org/updates/FEDORA-2017-7ab0179693 Are you sure that CVE-2017-10970 and CVE-2017-11163 are the same? It seems to me that they have a different origin (link-php vs aggregate_graphs.php). As long as there are two CVEs assigned here we need to treat https://github.com/Cacti/cacti/issues/847 and https://github.com/Cacti/cacti/issues/838 as different issues. If you feel confident that these issues are the same, you should contact mitre and open a dispute via https://cveform.mitre.org/
Oh, I see what you mean now :) According to upstream this second issue was also fixed with the patch for the first one. We can close this bug then. As per upstream recommendation, please try to update cacti to 1.1.3 when it's available. Thanks!
@Andrej Thank you. Maybe you can open a new BZ for CVE-2017-10970?
(In reply to Morten Stevens from comment #5) > @Andrej > > Thank you. Maybe you can open a new BZ for CVE-2017-10970? Flaw bug and trackers for CVE-2017-10970 are now live, feel free to change them as you want.