CVE-2017-12978 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12978): lib/html.php in Cacti before 1.1.18 has XSS via the title field of an external link added by an authenticated user. References: https://github.com/Cacti/cacti/blob/develop/docs/CHANGELOG#L18 https://github.com/Cacti/cacti/issues/918 https://github.com/Cacti/cacti/commit/9c610a7a4e29595dcaf7d7082134e4b89619ea24
Stabilization will happen in bug 626992.