CVE-2009-4032
Description
Multiple cross-site scripting (XSS) vulnerabilities in Cacti 0.8.7e allow remote attackers to inject arbitrary web script or HTML via vectors related to (1) graph.php, (2) include/top_graph_header.php, (3) lib/html_form.php, and (4) lib/timespan_settings.php, as demonstrated by the (a) graph_end or (b) graph_start parameters to graph.php; (c) the date1 parameter in a tree action to graph_view.php; and the (d) page_refresh and (e) default_dual_pane_width parameters to graph_settings.php.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Multiple cross-site scripting vulnerabilities in Cacti 0.8.7e allow remote attackers to inject arbitrary script or HTML via various parameters in multiple pages.
Vulnerability
Cacti 0.8.7e contains multiple reflected cross-site scripting (XSS) vulnerabilities due to improper sanitization of user-supplied input in graph.php, include/top_graph_header.php, lib/html_form.php, and lib/timespan_settings.php. The affected parameters include graph_end and graph_start in graph.php, date1 in a tree action to graph_view.php, and page_refresh and default_dual_pane_width in graph_settings.php. Versions up to and including 0.8.7e are vulnerable [2][4].
Exploitation
An attacker can exploit these vulnerabilities by crafting a malicious URL containing script payloads in the vulnerable parameters and tricking an authenticated Cacti user into visiting that URL. No additional privileges or authentication are required to craft the URL; only the victim must be logged into the Cacti application. Upon viewing the crafted page, the script executes in the context of the victim's session [2].
Impact
Successful exploitation allows an attacker to execute arbitrary JavaScript in the victim's browser, leading to session hijacking, data theft, or further compromise of the Cacti instance. The attack operates within the security context of the authenticated user's session [2].
Mitigation
The vendor addressed these issues in Cacti 0.8.7f, released in 2010. Users should upgrade to 0.8.7f or later. If upgrading is not immediately possible, administrators should restrict access to trusted users and review available patches from the Cacti project [2].
AI Insight generated on May 24, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- cpe:2.3:a:cacti:cacti:0.8.7e:*:*:*:*:*:*:*
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
24- docs.cacti.netnvdPatch
- www.cacti.net/downloads/patches/0.8.7e/cross_site_fix.patchnvdPatch
- www.openwall.com/lists/oss-security/2009/11/25/2nvdPatch
- www.openwall.com/lists/oss-security/2009/11/25/4nvdPatch
- www.securityfocus.com/bid/37109nvdPatch
- www.vupen.com/english/advisories/2009/3325nvdPatchVendor Advisory
- secunia.com/advisories/37481nvdVendor Advisory
- secunia.com/advisories/37934nvdVendor Advisory
- secunia.com/advisories/38087nvdVendor Advisory
- secunia.com/advisories/41041nvdVendor Advisory
- archives.neohapsis.com/archives/fulldisclosure/2009-11/0292.htmlnvd
- bugs.gentoo.org/show_bug.cginvd
- jvn.jp/en/jp/JVN09758120/index.htmlnvd
- jvndb.jvn.jp/ja/contents/2009/JVNDB-2009-003901.htmlnvd
- www.cacti.net/download_patches.phpnvd
- www.openwall.com/lists/oss-security/2009/11/26/1nvd
- www.openwall.com/lists/oss-security/2009/11/30/2nvd
- www.osvdb.org/60483nvd
- www.securityfocus.com/archive/1/508129/100/0/threadednvd
- www.vupen.com/english/advisories/2010/2132nvd
- exchange.xforce.ibmcloud.com/vulnerabilities/54388nvd
- rhn.redhat.com/errata/RHSA-2010-0635.htmlnvd
- www.redhat.com/archives/fedora-package-announce/2009-December/msg01390.htmlnvd
- www.redhat.com/archives/fedora-package-announce/2010-January/msg00166.htmlnvd
News mentions
0No linked articles in our index yet.