Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 628480 (CVE-2017-12978) - <net-analyzer/cacti-1.1.20: XSS via the title field of an external link (CVE-2017-12978)
Summary: <net-analyzer/cacti-1.1.20: XSS via the title field of an external link (CVE-...
Status: RESOLVED FIXED
Alias: CVE-2017-12978
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal trivial (vote)
Assignee: Gentoo Security
URL:
Whiteboard: C4 [noglsa cve]
Keywords:
Depends on: CVE-2017-12066
Blocks:
  Show dependency tree
 
Reported: 2017-08-21 07:59 UTC by Aleksandr Wagner (Kivak)
Modified: 2017-11-11 19:49 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Aleksandr Wagner (Kivak) 2017-08-21 07:59:31 UTC
CVE-2017-12978 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12978):

lib/html.php in Cacti before 1.1.18 has XSS via the title field of an external link added by an authenticated user. 

References:

https://github.com/Cacti/cacti/blob/develop/docs/CHANGELOG#L18
https://github.com/Cacti/cacti/issues/918
https://github.com/Cacti/cacti/commit/9c610a7a4e29595dcaf7d7082134e4b89619ea24
Comment 1 Thomas Deutschmann (RETIRED) gentoo-dev 2017-08-21 13:39:57 UTC
Stabilization will happen in bug 626992.