CVE-2010-2543

Description

Cross-site scripting (XSS) vulnerability in include/top_graph_header.php in Cacti before 0.8.7g allows remote attackers to inject arbitrary web script or HTML via the graph_start parameter to graph.php. NOTE: this vulnerability exists because of an incorrect fix for CVE-2009-4032.2.b.

CVSS Metrics

• v2.0•MEDIUM•Score: 4.3AV:N/AC:M/Au:N/C:N/I:P/A:N

EPSS Trends

Current EPSS score: 10.51%• Percentile: 93%

Techniques & Countermeasures

• CWE-79•Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

  The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Affected Systems

• Unknown•Cacti

  ≤ 0.8.7f | 0.5 | 0.6 | 0.6.1 | 0.6.2 | 0.6.3 | 0.6.4 | 0.6.5 | 0.6.6 | 0.6.7 | 0.6.8 | 0.6.8a | 0.8 | 0.8.1 | 0.8.2 | 0.8.2a | 0.8.3 | 0.8.3a | 0.8.4 | 0.8.5 | 0.8.5a | 0.8.6 | 0.8.6a | 0.8.6b | 0.8.6c | 0.8.6d | 0.8.6f | 0.8.6g | 0.8.6h | 0.8.6i | 0.8.6j | 0.8.6k | 0.8.7 | 0.8.7a | 0.8.7b | 0.8.7c | 0.8.7d | 0.8.7e

References (7)

• http://www.mandriva.com/security/advisories?name=MDVSA-2010:160
• http://marc.info/?l=oss-security&m=127978954522586&w=2
• https://bugzilla.redhat.com/show_bug.cgi?id=541279
• http://cacti.net/release_notes_0_8_7g.php
• http://marc.info/?l=oss-security&m=128017203704299&w=2
• http://svn.cacti.net/viewvc?view=rev&revision=6025
• http://svn.cacti.net/viewvc/cacti/branches/0.8.7/include/top_graph_header.php?r1=6025&r2=6024