oss-sec mailing list archives
Re: CVE Request: 3 XSS vulnerabilities in Cacti <= 0.8.8b
From: cve-assign () mitre org
Date: Sun, 25 Aug 2013 09:33:32 -0400 (EDT)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Three cross-site scripting vulnerabilities
We think you may mean "Three vulnerabilities" -- not all three are XSS.
- Reflected XSS in the "step" parameter of the "/install/index.php" script - Stored XSS in the id parameter in the "/cacti/host.php" script
Use CVE-2013-5588 for both of these XSS issues.
- "/cacti/host.php" script is vulnerable to Blind SQL Injection in the "id" parameter.
Use CVE-2013-5589 for this SQL injection issue.
input_validate_input_number(get_request_var_post("host_template_id"));
This code was added to host.php in both 0.8.8 and 0.8.9, but we think that it might be impossible to exploit the host_template_id parameter for either XSS or SQL injection. If there is a usable attack with the host_template_id parameter, please request another CVE ID. Any vulnerability for the host_template_id parameter is not within the scope of either CVE-2013-5588 or CVE-2013-5589. - -- CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (SunOS) iQEcBAEBAgAGBQJSGgZrAAoJEGvefgSNfHMdfRkH/R0lG8hngh9Q91DcEs7JNgUj mOuUN3iizdQYUrjkwFgrzv0ENWtHd+jm3fwbnQVQVyTSqoOaAT2d7/mheY74Halc R+SaMIhr8B+fKJdt2hs2wZZyqIjK6/gI1x5sv0k8/Cei389U2nhoRYzgfYukuYQB NPSD7u2ZZVJ00r64JQfeNQ8WtTkhD69kejd7L+qn/hl0ebsQd/SM+jGk3v3vZ6eQ +dUMHyf0z8Jo12W6ppa5biG71hqEDgdNmQuU6QXAtV4m01snZhMmt/kbQ88wg6O7 Lz27dc8vb/B+48krsdA1VcX+JQGXmv4mMSyPzzIKehxYbwqzNK+Z4ETIBfIdZHU= =1n5f -----END PGP SIGNATURE-----
Current thread:
- CVE Request: 3 XSS vulnerabilities in Cacti <= 0.8.8b Salvatore Bonaccorso (Aug 25)
- Re: CVE Request: 3 XSS vulnerabilities in Cacti <= 0.8.8b cve-assign (Aug 25)
- Re: CVE Request: 3 XSS vulnerabilities in Cacti <= 0.8.8b Salvatore Bonaccorso (Aug 28)
- Re: CVE Request: 3 XSS vulnerabilities in Cacti <= 0.8.8b cve-assign (Aug 25)