Cacti is prone to multiple HTML-injection vulnerabilities because it fails to properly sanitize user-supplied input before using it in dynamically generated content.
Attacker-supplied HTML and script code would run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials or to control how the site is rendered to the user. Other attacks are also possible.
Cacti 0.8.7e is vulnerable; other versions may be affected as well.
New version is in the tree. Arch teams, please, stabilize.
Stable on alpha.
Multiple cross-site scripting (XSS) vulnerabilities in Cacti 0.8.7e
allow remote attackers to inject arbitrary web script or HTML via
vectors related to (1) graph.php, (2) include/top_graph_header.php,
(3) lib/html_form.php, and (4) lib/timespan_settings.php.
Cacti 0.8.7e and earlier allows remote authenticated administrators
to gain privileges by modifying the "Data Input Method" for the
"Linux - Get Memory Usage" setting to contain arbitrary commands.
Stable for PPC.
All arches done. Closing noglsa.