CVE-2014-4002

Name of the Vulnerable Software and Affected Versions Cacti version 0.8.8b

Description The issue concerns multiple cross-site scripting (XSS) vulnerabilities. These vulnerabilities allow remote attackers to inject arbitrary web script or HTML. The affected parameters include drp action to various PHP files, as well as graph template input id and graph template id parameters to graph templates inputs.php. The specific PHP files affected are cdef.php, data input.php, data queries.php, data sources.php, data templates.php, graph templates.php, graphs.php, host.php, and host templates.php.

Recommendations For Cacti version 0.8.8b, consider disabling access to the affected PHP files until a patch is available. Restrict input for the drp action, graph template input id, and graph template id parameters to minimize the risk of exploitation. Avoid using these parameters in the affected API endpoints until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.