CVE-2020-14424 (https://bugzilla.redhat.com/show_bug.cgi?id=2001016): Cacti before 1.2.18 allows remote attackers to trigger XSS via template import for the midwinter theme. Please bump.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f4de2d16bde77e959301b1a6ee62e9f9ceecaa66 commit f4de2d16bde77e959301b1a6ee62e9f9ceecaa66 Author: Sam James <sam@gentoo.org> AuthorDate: 2021-12-10 03:39:15 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2021-12-10 03:48:54 +0000 net-analyzer/cacti: add 1.2.19 Bug: https://bugs.gentoo.org/823788 Signed-off-by: Sam James <sam@gentoo.org> net-analyzer/cacti/Manifest | 1 + net-analyzer/cacti/cacti-1.2.19.ebuild | 49 ++++++++++++++++++++++++++++++++++ 2 files changed, 50 insertions(+)
1.2.19 release notes mention: "security #4356: Further fixes for grave character security protection" https://github.com/Cacti/cacti/issues/4356
Please cleanup
CVE-2022-48547 (https://github.com/Cacti/cacti/issues/1882): A reflected cross-site scripting (XSS) vulnerability in Cacti 0.8.7g and earlier allows unauthenticated remote attackers to inject arbitrary web script or HTML in the "ref" parameter at auth_changepassword.php. Fix is in 1.2.19: https://github.com/Cacti/cacti/commit/2b8097c06030ab72c5b3bdadb23dceb5332f0e94