CVE-2017-12066

Name of the Vulnerable Software and Affected Versions Cacti versions prior to 1.1.16

Description A cross-site scripting (XSS) issue exists, allowing remote authenticated users to inject arbitrary web script or HTML via specially crafted HTTP Referer headers, related to the cancel url variable. This issue is due to an incomplete fix that lacked the htmlspecialchars ENT QUOTES flag.

Recommendations For versions prior to 1.1.16, update to version 1.1.16 or later to resolve the issue. As a temporary workaround, consider restricting access to the aggregate graphs.php file until a patch is applied. Avoid using specially crafted HTTP Referer headers in the affected cancel url variable until the issue is resolved.