1896695 – (CVE-2020-25706) CVE-2020-25706 cacti: Improper escaping of error message leads to XSS during template import preview

Bug 1896695 (CVE-2020-25706) - CVE-2020-25706 cacti: Improper escaping of error message leads to XSS during template import preview

Summary: CVE-2020-25706 cacti: Improper escaping of error message leads to XSS during ...

Keywords:
Status:	CLOSED NOTABUG
Alias:	CVE-2020-25706
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2020-11-11 10:06 UTC by Michael Kaplan
Modified:	2021-10-28 05:27 UTC (History)
CC List:	3 users (show)
Fixed In Version:	cacti 1.2.14
Doc Type:	---
Doc Text:	A Cross-site scripting (XSS) flaw was found in Cacti in the templates_import.php, caused by an improper escaping of error message during the template import preview in the xml_path field. The highest threat from this vulnerability is to confidentiality and integrity.
Clone Of:
Environment:
Last Closed:	2021-10-28 05:27:39 UTC
Embargoed:

Attachments	(Terms of Use)

Description Michael Kaplan 2020-11-11 10:06:19 UTC

A cross-site scripting (XSS) vulnerability exists in templates_import.php (Cacti
1.2.13) due to Improper escaping of error message during template
import preview in the xml_path field

Comment 1 Michael Kaplan 2020-11-11 10:06:25 UTC

Acknowledgments:

Name: listerjoe

Comment 3 Michael Kaplan 2020-11-11 10:06:52 UTC

External References:

https://github.com/Cacti/cacti/issues/3723
https://github.com/Cacti/cacti/commit/39458efcd5286d50e6b7f905fedcdc1059354e6e

Note You need to log in before you can comment on or make changes to this bug.