CVE-2014-5026

Name of the Vulnerable Software and Affected Versions Cacti version 0.8.8b

Description The issue allows remote authenticated users with console access to inject arbitrary web script or HTML. This can be achieved through various means, including a Graph Tree Title in a delete or edit action, CDEF Name, Data Input Method Name, or Host Templates Name in a delete action, Data Source Title, Graph Title, or Graph Template Name in a delete or duplicate action.

Recommendations For Cacti version 0.8.8b, update to a version that includes a fix for this issue to prevent arbitrary web script or HTML injection. As a temporary workaround, consider restricting access to the console for remote authenticated users until a patch is available. Avoid using the Graph Tree Title, CDEF Name, Data Input Method Name, Host Templates Name, Data Source Title, Graph Title, and Graph Template Name fields in delete, edit, or duplicate actions until the issue is resolved.