CVE-2017-12066
First published: Tue Aug 01 2017(Updated: )
Cross-site scripting (XSS) vulnerability in aggregate_graphs.php in Cacti before 1.1.16 allows remote authenticated users to inject arbitrary web script or HTML via specially crafted HTTP Referer headers, related to the $cancel_url variable. NOTE: this vulnerability exists because of an incomplete fix (lack of the htmlspecialchars ENT_QUOTES flag) for CVE-2017-11163.
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Cacti Cacti | <=1.1.15 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the severity of CVE-2017-12066?
The severity of CVE-2017-12066 is classified as medium with a score of 5.4.
How do I fix CVE-2017-12066?
To fix CVE-2017-12066, upgrade to Cacti version 1.1.16 or later.
What type of vulnerability is CVE-2017-12066?
CVE-2017-12066 is a cross-site scripting (XSS) vulnerability.
Who is affected by CVE-2017-12066?
CVE-2017-12066 affects remote authenticated users of Cacti versions prior to 1.1.16.
What component of Cacti is involved in CVE-2017-12066?
CVE-2017-12066 involves the aggregate_graphs.php component of Cacti.
- collector/nvd-index
- vendor/cacti
- product/cacti
- canonical/cacti cacti