CVE-2010-2545

Name of the Vulnerable Software and Affected Versions Cacti versions prior to 0.8.7g

Description The issue allows remote attackers to inject arbitrary web script or HTML via the name element in an XML template to templates import.php. Additionally, remote authenticated administrators can inject arbitrary web script or HTML via various vectors related to multiple files, including cdef.php, data input.php, data queries.php, data sources.php, data templates.php, gprint presets.php, graph.php, graphs new.php, graphs.php, graph templates inputs.php, graph templates items.php, graph templates.php, graph view.php, host.php, host templates.php, lib/functions.php, lib/html form.php, lib/html form template.php, lib/html.php, lib/html tree.php, lib/rrd.php, rra.php, tree.php, and user admin.php.

Recommendations For versions prior to 0.8.7g, update to version 0.8.7g or later to resolve the issue. As a temporary workaround, consider restricting access to the affected files and templates import.php to minimize the risk of exploitation. Avoid using the name element in XML templates to templates import.php until the issue is resolved.