Source: cacti Version: 1.1.15+ds1-1 Severity: important Tags: security upstream patch Forwarded: https://github.com/Cacti/cacti/issues/877
Hi, the following vulnerability was published for cacti. CVE-2017-12066[0]: | Cross-site scripting (XSS) vulnerability in aggregate_graphs.php in | Cacti before 1.1.16 allows remote authenticated users to inject | arbitrary web script or HTML via specially crafted HTTP Referer | headers, related to the $cancel_url variable. NOTE: this vulnerability | exists because of an incomplete fix (lack of the htmlspecialchars | ENT_QUOTES flag) for CVE-2017-11163. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2017-12066 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12066 [1] https://github.com/Cacti/cacti/issues/877 (yes the same commit and upstream issue as CVE-2017-12065 since the reporter mixed/collected the report in one upstream issue). Regards, Salvatore