Headline
CVE-2020-23226: Lack of escaping on some pages can lead to XSS exposure · Issue #3549 · Cacti/cacti
Multiple Cross Site Scripting (XSS) vulneratiblities exist in Cacti 1.2.12 in (1) reports_admin.php, (2) data_queries.php, (3) data_input.php, (4) graph_templates.php, (5) graphs.php, (6) reports_admin.php, and (7) data_input.php.
passed case: 1, 2, 5, 6, 8, 10, 11, 12, 13, 14****Failed case 3, 4, 7, 9
Case3: click/delete a data output field has popup exist
Case4: graph_templates.php add graph items with a color named
- go to present-color, add a color named with <script>alert(‘pcolor’);</script>
- go to template graph, add a graph, add a graph item, popup exist
case7 go to graphs - list view mode, popup exist for reporting with name <script>alert(‘xxx’);</script>
- Go to Reporting page, add a report name with <script>alert(‘reporting’);</script>
- Go to Graphs - list view mode, popup of reporting exist
Case9 data_sources.php page with popup exist
New founded issue
Case#15 place device on a tree named with <script>alert(‘tree’);</script> has popup exist
Case#16 create graph for a device has popup exist due to data query with script
- create a data query with name <script>alert(‘data_query’);</script>
- Go to device page, add the data_query to the device
- Click create graphs for this device, popup exist
Case#17 go to create graph page, popup exist
- create a data query with name <script>alert(‘data_query’);</script>
- Go to device page, add the data_query to the device
- Go to Create - New graphs page, popup for data_query exist
Case#18 create graph for a device has popup exist for color with script
- go to present-color, add a color named with <script>alert(‘pcolor’);</script>
- Create a graph for device, choose Cisco- CPU Usage Graph template
- Click create, popup for pcolor exist
Case#19 go to graphs - preview mode has popup for graph name with script