CVE-2009-4032
CVE-2009-4032
Multiple cross-site scripting (XSS) vulnerabilities in Cacti 0.8.7e allow remote attackers to inject arbitrary web script or HTML via vectors related to (1) graph.php, (2) include/top_graph_header.php, (3) lib/html_form.php, and (4) lib/timespan_settings.php, as demonstrated by the (a) graph_end or (b) graph_start parameters to graph.php; (c) the date1 parameter in a tree action to graph_view.php; and the (d) page_refresh and (e) default_dual_pane_width parameters to graph_settings.php.
Affected products
n/a · n/apublic PoCs found — 2
exploitdbwww.exploit-db.com/exploits/10234unverifiedexploitdbwww.exploit-db.com/exploits/33374unverified⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.
Want to know if your infrastructure is exposed to this?
Talk to TrueHacking →References
http://archives.neohapsis.com/archives/fulldisclosure/2009-11/0292.htmlhttp://bugs.gentoo.org/show_bug.cgi?id=294573http://docs.cacti.net/#cross-site_scripting_fixeshttp://jvndb.jvn.jp/ja/contents/2009/JVNDB-2009-003901.htmlhttp://jvn.jp/en/jp/JVN09758120/index.htmlhttp://secunia.com/advisories/37481http://secunia.com/advisories/37934http://secunia.com/advisories/38087http://secunia.com/advisories/41041https://exchange.xforce.ibmcloud.com/vulnerabilities/54388https://rhn.redhat.com/errata/RHSA-2010-0635.htmlhttps://www.redhat.com/archives/fedora-package-announce/2009-December/msg01390.html