CVE-2009-4032

Publication date 29 November 2009

Last updated 24 July 2024

Ubuntu priority

Multiple cross-site scripting (XSS) vulnerabilities in Cacti 0.8.7e allow remote attackers to inject arbitrary web script or HTML via vectors related to (1) graph.php, (2) include/top_graph_header.php, (3) lib/html_form.php, and (4) lib/timespan_settings.php, as demonstrated by the (a) graph_end or (b) graph_start parameters to graph.php; (c) the date1 parameter in a tree action to graph_view.php; and the (d) page_refresh and (e) default_dual_pane_width parameters to graph_settings.php.

Read the notes from the security team

Status

Show unmaintained releases

No maintained releases are affected by this CVE.

Package	Ubuntu Release	Status
cacti	11.10 oneiric	Fixed 0.8.7g-1
	11.04 natty	Fixed 0.8.7g-1
	10.10 maverick	Fixed 0.8.7g-1
	10.04 LTS lucid	Not affected
	9.10 karmic	Ignored end of life
	9.04 jaunty	Ignored end of life
	8.04 LTS hardy	Ignored end of life
	6.06 LTS dapper	Ignored end of life

Notes

jdstrand

cross_site_fix.patch still not applied as of 0.8.7e-4

mdeslaur

patch is in fact in the lucid package

Patch details

For informational purposes only. We recommend not to cherry-pick updates. How can I get the fixes?

Package	Patch details
cacti	Upstream: http://www.cacti.net/download_patches.php Upstream: http://www.cacti.net/downloads/patches/0.8.7e/cross_site_fix.patch

References

Other references

https://www.cve.org/CVERecord?id=CVE-2009-4032