CVE-2009-4032
Cacti 0.8.x - 'graph.php' Multiple Cross-Site Scripting Vulnerabilities
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
2Exploited in Wild
-Decision
Descriptions
Multiple cross-site scripting (XSS) vulnerabilities in Cacti 0.8.7e allow remote attackers to inject arbitrary web script or HTML via vectors related to (1) graph.php, (2) include/top_graph_header.php, (3) lib/html_form.php, and (4) lib/timespan_settings.php, as demonstrated by the (a) graph_end or (b) graph_start parameters to graph.php; (c) the date1 parameter in a tree action to graph_view.php; and the (d) page_refresh and (e) default_dual_pane_width parameters to graph_settings.php.
Múltiples vulnerabilidades de XSS en Cacti 0.8.7e permiten a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarias a través de vectores relacionados con (1) graph.php, (2) include/top_graph_header.php, (3) lib/html_form.php y (4) lib/timespan_settings.php, como es demostrado por los parámetros (a) graph_end o (b) graph_start a graph.php; (c) el parámetro date1 en una acción tree a graph_view.php; y los parámetros (d) page_refresh y (e) default_dual_pane_width a graph_settings.php.
Cacti versions 0.8.7e and below suffer from cross site scripting and privilege escalation vulnerabilities.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2009-11-20 CVE Reserved
- 2009-11-21 First Exploit
- 2009-11-27 CVE Published
- 2024-08-07 CVE Updated
- 2024-08-17 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CAPEC
References (28)
| URL | Tag | Source |
|---|---|---|
| http://archives.neohapsis.com/archives/fulldisclosure/2009-11/0292.html | Mailing List | |
| http://bugs.gentoo.org/show_bug.cgi?id=294573 | X_refsource_confirm | |
| http://jvn.jp/en/jp/JVN09758120/index.html | Third Party Advisory | |
| http://jvndb.jvn.jp/ja/contents/2009/JVNDB-2009-003901.html | Third Party Advisory | |
| http://www.cacti.net/download_patches.php | X_refsource_confirm | |
| http://www.openwall.com/lists/oss-security/2009/11/26/1 | Mailing List |
|
| http://www.openwall.com/lists/oss-security/2009/11/30/2 | Mailing List |
|
| http://www.osvdb.org/60483 | Vdb Entry | |
| http://www.securityfocus.com/archive/1/508129/100/0/threaded | Mailing List | |
| http://www.vupen.com/english/advisories/2010/2132 | Vdb Entry | |
| https://exchange.xforce.ibmcloud.com/vulnerabilities/54388 | Vdb Entry |
| URL | Date | SRC |
|---|---|---|
| https://www.exploit-db.com/exploits/33374 | 2009-11-21 | |
| https://www.exploit-db.com/exploits/10234 | 2009-11-26 |
| URL | Date | SRC |
|---|---|---|
| http://docs.cacti.net/#cross-site_scripting_fixes | 2023-02-13 | |
| http://www.cacti.net/downloads/patches/0.8.7e/cross_site_fix.patch | 2023-02-13 | |
| http://www.openwall.com/lists/oss-security/2009/11/25/2 | 2023-02-13 | |
| http://www.openwall.com/lists/oss-security/2009/11/25/4 | 2023-02-13 | |
| http://www.securityfocus.com/bid/37109 | 2023-02-13 | |
| http://www.vupen.com/english/advisories/2009/3325 | 2023-02-13 |
| URL | Date | SRC |
|---|---|---|
| http://secunia.com/advisories/37481 | 2023-02-13 | |
| http://secunia.com/advisories/37934 | 2023-02-13 | |
| http://secunia.com/advisories/38087 | 2023-02-13 | |
| http://secunia.com/advisories/41041 | 2023-02-13 | |
| https://rhn.redhat.com/errata/RHSA-2010-0635.html | 2023-02-13 | |
| https://www.redhat.com/archives/fedora-package-announce/2009-December/msg01390.html | 2023-02-13 | |
| https://www.redhat.com/archives/fedora-package-announce/2010-January/msg00166.html | 2023-02-13 | |
| https://access.redhat.com/security/cve/CVE-2009-4032 | 2010-08-20 | |
| https://bugzilla.redhat.com/show_bug.cgi?id=541279 | 2010-08-20 |