Bug 1667023 (CVE-2018-20723, CVE-2018-20724, CVE-2018-20725, CVE-2018-20726) - CVE-2018-20724 CVE-2018-20725 CVE-2018-20726 CVE-2018-20723 cacti: Multiple cross-site scripting vulnerabilities fixed in 1.2.0 version
Summary: CVE-2018-20724 CVE-2018-20725 CVE-2018-20726 CVE-2018-20723 cacti: Multiple c...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2018-20723, CVE-2018-20724, CVE-2018-20725, CVE-2018-20726
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1667024
Blocks:
TreeView+ depends on / blocked
 
Reported: 2019-01-17 09:27 UTC by Andrej Nemec
Modified: 2021-10-27 03:23 UTC (History)
3 users (show)

Fixed In Version: cacti 1.2.0
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2021-10-27 03:23:38 UTC
Embargoed:

Attachments (Terms of Use)

Description Andrej Nemec 2019-01-17 09:27:01 UTC 
CVE-2018-20723

A cross-site scripting (XSS) vulnerability exists in color_templates.php in Cacti before 1.2.0 due to lack of escaping of unintended characters in the Name field for a Color.

https://github.com/Cacti/cacti/blob/develop/CHANGELOG
https://github.com/Cacti/cacti/commit/80c2a88fb2afb93f87703ba4641f9970478c102d
https://github.com/Cacti/cacti/issues/2215

CVE-2018-20724

A cross-site scripting (XSS) vulnerability exists in pollers.php in Cacti before 1.2.0 due to lack of escaping of unintended characters in the Website Hostname for Data Collectors.

https://github.com/Cacti/cacti/blob/develop/CHANGELOG
https://github.com/Cacti/cacti/commit/1f42478506d83d188f68ce5ff41728a7bd159f53
https://github.com/Cacti/cacti/issues/2212

CVE-2018-20725

A cross-site scripting (XSS) vulnerability exists in graph_templates.php in Cacti before 1.2.0 due to lack of escaping of unintended characters in the Graph Vertical Label.
https://github.com/Cacti/cacti/blob/develop/CHANGELOG
https://github.com/Cacti/cacti/commit/80c2a88fb2afb93f87703ba4641f9970478c102d
https://github.com/Cacti/cacti/issues/2214

CVE-2018-20725

A cross-site scripting (XSS) vulnerability exists in host.php (via tree.php) in Cacti before 1.2.0 due to lack of escaping of unintended characters in the Website Hostname field for Devices.
https://github.com/Cacti/cacti/blob/develop/CHANGELOG
https://github.com/Cacti/cacti/commit/80c2a88fb2afb93f87703ba4641f9970478c102d
https://github.com/Cacti/cacti/issues/2213
Comment 1 Andrej Nemec 2019-01-17 09:27:08 UTC 
Created cacti tracking bugs for this issue:

Affects: epel-all [bug 1667024]
Note You need to log in before you can comment on or make changes to this bug.