Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 626992 (CVE-2017-12066) - <net-analyzer/cacti-1.1.20: Cross-site scripting (XSS) vulnerability in aggregate_graphs.php (CVE-2017-12066)
Summary: <net-analyzer/cacti-1.1.20: Cross-site scripting (XSS) vulnerability in aggre...
Status: RESOLVED FIXED
Alias: CVE-2017-12066
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard: C4 [noglsa cve]
Keywords:
Depends on:
Blocks: CVE-2014-4000 CVE-2017-11691 CVE-2017-12065 CVE-2017-12978
  Show dependency tree
 
Reported: 2017-08-03 16:37 UTC by Aleksandr Wagner (Kivak)
Modified: 2019-04-19 07:53 UTC (History)
1 user (show)

See Also:
Package list:
=net-analyzer/cacti-1.1.20 =net-analyzer/cacti-spine-1.1.20
Runtime testing required: ---
stable-bot: sanity-check+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Aleksandr Wagner (Kivak) 2017-08-03 16:37:12 UTC 
CVE-2017-12066 (https://nvd.nist.gov/vuln/detail/CVE-2017-12066):

Cross-site scripting (XSS) vulnerability in aggregate_graphs.php in Cacti before 1.1.16 allows remote authenticated users to inject arbitrary web script or HTML via specially crafted HTTP Referer headers, related to the $cancel_url variable. NOTE: this vulnerability exists because of an incomplete fix (lack of the htmlspecialchars ENT_QUOTES flag) for CVE-2017-11163.

References:

https://cacti.net/release_notes.php?version=1.1.16
https://github.com/Cacti/cacti/commit/bd0e586f6f46d814930226f1516a194e7e72293e
https://github.com/Cacti/cacti/issues/877
Comment 1 Aleksandr Wagner (Kivak) 2017-08-21 08:05:43 UTC 
Fixed ebuild pushed to git:

From 2a10b99341a3bc93d00cb9eba4a020cb71f78bf8 Mon Sep 17 00:00:00 2001
From: Jeroen Roovers <jer@gentoo.org>
Date: Sun, 20 Aug 2017 09:02:02 +0200
Subject: net-analyzer/cacti: Version bump.

Package-Manager: Portage-2.3.8, Repoman-2.3.3
---
 net-analyzer/cacti/Manifest            |  1 +
 net-analyzer/cacti/cacti-1.1.18.ebuild | 58 ++++++++++++++++++++++++++++++++++
 2 files changed, 59 insertions(+)
 create mode 100644 net-analyzer/cacti/cacti-1.1.18.ebuild


@Maintainer(s): Please state if the package is ready for stabilization.
Comment 2 Thomas Deutschmann (RETIRED) gentoo-dev 2017-08-21 13:47:16 UTC 
@ Maintainer(s): Please tell us if we can start stabilization of =net-analyzer/cacti-1.1.18.
Comment 3 Tobias Klausmann (RETIRED) gentoo-dev 2017-09-04 07:33:26 UTC 
Stable on alpha.
Comment 4 Aaron Bauman (RETIRED) gentoo-dev 2017-09-10 22:18:25 UTC 
sparc was dropped to exp.

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b5901d8f716555a1479f12313a2925fcadd177a9
Comment 5 Thomas Deutschmann (RETIRED) gentoo-dev 2017-10-03 00:42:42 UTC 
x86 stable
Comment 6 Agostino Sarubbo gentoo-dev 2017-10-25 09:31:44 UTC 
amd64 stable
Comment 7 Aaron Bauman (RETIRED) gentoo-dev 2017-11-11 15:19:50 UTC 
tree is clean.
Comment 8 Sergei Trofimovich (RETIRED) gentoo-dev 2018-01-08 22:08:14 UTC 
sparc stable (thanks to Rolf Eike Beer)