Multiple Vulnerabilities discovered in the package Cacti

Loginsoft-2019-1036
February 11, 2019

CVE Number

CVE – CVE-2018-20723

CWE Number

CWE – 79

Product Details

Cacti is an open source network graphing solution designed to harness the power of RRD Tool’s data storage and graphing functionality.
URL: https://www.cacti.net/

Vulnerable Versions

v1.1.38

Vulnerability Details

Before printing the `Name` value on the color ‘Template’ page, there is no escape being done, leaving the application vulnerable to the specific XSS attack.
Reference link: https://github.com/Cacti/cacti/issues/2215

Mitigations
  • Avoid inserting or adding the untrusted input data
  • Always perform the sanitation of the input data like HTML escape, Attribute escape, JavaScript escape JSON parsing and HTML encoding before inserting them into the page content
  • It is advisable to practice content security policy and adopt the auto escaping template system
  • Implement the X-XSS-Protection response header
Timeline

Vendor Disclosure: 2018-12-15
Public Disclosure: 2019-02-11

CVE Number

CVE – CVE-2018-20725

Vulnerability Details

Before printing the `Vertical Table` value on the ‘Graphic Template page, there is no escape being done, leaving the application vulnerable to the specific XSS attack.
Reference link: https://github.com/Cacti/cacti/issues/2214

Mitigations
  • Avoid inserting or adding the untrusted input data
  • Always perform the sanitation of the input data like HTML escape, Attribute escape, JavaScript escape JSON parsing and HTML encoding before inserting them into the page content
  • It is advisable to practice content security policy and adopt the auto escaping template system
  • Implement the X-XSS-Protection response header
Timeline

Vendor Disclosure: 2018-12-15
Public Disclosure: 2019-02-11

CVE Number

CVE – CVE-2018-20726

Vulnerability Details

Before printing the `Hostname` value on the ‘Tree’  table, there is no escape being done, leaving the application vulnerable to the specific XSS attack.
Reference link: https://github.com/Cacti/cacti/issues/2213

Mitigations
  • Avoid inserting or adding the untrusted input data
  • Always perform the sanitation of the input data like HTML escape, Attribute escape, JavaScript escape JSON parsing and HTML encoding before inserting them into the page content
  • It is advisable to practice content security policy and adopt the auto escaping template system
  • Implement the X-XSS-Protection response header
Timeline

Vendor Disclosure: 2018-12-16
Public Disclosure: 2019-02-11

CVE Number

CVE – CVE-2018-20724

Vulnerability Details

Before printing the `Hostname` value on the ‘Data collectors table’, there is no escape being done, leaving the application vulnerable to the specific XSS attack.

Reference link: https://github.com/Cacti/cacti/issues/2212

Mitigations
  • Avoid inserting or adding the untrusted input data
  • Always perform the sanitation of the input data like HTML escape, Attribute escape, JavaScript escape JSON parsing and HTML encoding before inserting them into the page content
  • It is advisable to practice content security policy and adopt the auto escaping template system
  • Implement the X-XSS-Protection response header
Timeline

Vendor Disclosure: 2018-12-15
Public Disclosure: 2019-02-11
Patch: https://github.com/Cacti/cacti/commit/80c2a88fb2afb93f87703ba4641f9970478c102d

Credit

Discovered by ACE Team – Loginsoft