VYPR
← All advisories
Unrated severityNVD Advisory· Published Aug 23, 2010· Updated Apr 29, 2026

CVE-2010-1644

CVE-2010-1644

Description

Multiple cross-site scripting (XSS) vulnerabilities in Cacti before 0.8.7f, as used in Red Hat High Performance Computing (HPC) Solution and other products, allow remote attackers to inject arbitrary web script or HTML via the (1) hostname or (2) description parameter to host.php, or (3) the host_id parameter to data_sources.php.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Cacti below 0.8.7f contains multiple XSS flaws via hostname, description, or host_id parameters, enabling arbitrary script injection.

Vulnerability

Cacti versions prior to 0.8.7f are affected by multiple cross-site scripting (XSS) vulnerabilities. The flaws exist in host.php via the hostname and description parameters, and in data_sources.php via the host_id parameter. The official description confirms the issue affects Cacti before 0.8.7f, as used in Red Hat High Performance Computing (HPC) Solution and other products [2].

Exploitation

An attacker can exploit these vulnerabilities by crafting a malicious URL containing XSS payloads in the vulnerable parameters. No authentication is required provided the attacker can trick a victim into clicking the crafted link. The attacker does not need any special network position beyond the ability to deliver the URL (e.g., via email or a web page). The Red Hat bug tracker identifies the XSS issues as being reachable in host.php and data_sources.php [2].

Impact

Successful exploitation allows an attacker to inject arbitrary web script or HTML into the victim's browser session. This can lead to information disclosure (e.g., session tokens, cookies), defacement, or further attacks against the Cacti installation, depending on the privileges of the victim user.

Mitigation

The fix was released in Cacti version 0.8.7f. Users should upgrade to that version or later. For Red Hat HPC Solution, apply the appropriate vendor update when available. No workarounds are documented in the provided references [2].

References
  1. XSS issues in host.php and data_sources.php (VUPEN/ADV-2010-1203)

AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

38
  • Cacti (software)/Cacti37 versions
    cpe:2.3:a:cacti:cacti:*:*:*:*:*:*:*:*+ 36 more
    • cpe:2.3:a:cacti:cacti:*:*:*:*:*:*:*:*range: <=0.8.7e
    • cpe:2.3:a:cacti:cacti:0.5:-:*:*:*:*:*:*
    • cpe:2.3:a:cacti:cacti:0.6:*:*:*:*:*:*:*
    • cpe:2.3:a:cacti:cacti:0.6.1:*:*:*:*:*:*:*
    • cpe:2.3:a:cacti:cacti:0.6.2:*:*:*:*:*:*:*
    • cpe:2.3:a:cacti:cacti:0.6.3:*:*:*:*:*:*:*
    • cpe:2.3:a:cacti:cacti:0.6.4:*:*:*:*:*:*:*
    • cpe:2.3:a:cacti:cacti:0.6.5:*:*:*:*:*:*:*
    • cpe:2.3:a:cacti:cacti:0.6.6:*:*:*:*:*:*:*
    • cpe:2.3:a:cacti:cacti:0.6.7:*:*:*:*:*:*:*
    • cpe:2.3:a:cacti:cacti:0.6.8:*:*:*:*:*:*:*
    • cpe:2.3:a:cacti:cacti:0.6.8a:*:*:*:*:*:*:*
    • cpe:2.3:a:cacti:cacti:0.8:*:*:*:*:*:*:*
    • cpe:2.3:a:cacti:cacti:0.8.1:*:*:*:*:*:*:*
    • cpe:2.3:a:cacti:cacti:0.8.2:*:*:*:*:*:*:*
    • cpe:2.3:a:cacti:cacti:0.8.2a:*:*:*:*:*:*:*
    • cpe:2.3:a:cacti:cacti:0.8.3:*:*:*:*:*:*:*
    • cpe:2.3:a:cacti:cacti:0.8.3a:*:*:*:*:*:*:*
    • cpe:2.3:a:cacti:cacti:0.8.4:*:*:*:*:*:*:*
    • cpe:2.3:a:cacti:cacti:0.8.5:*:*:*:*:*:*:*
    • cpe:2.3:a:cacti:cacti:0.8.5a:*:*:*:*:*:*:*
    • cpe:2.3:a:cacti:cacti:0.8.6:*:*:*:*:*:*:*
    • cpe:2.3:a:cacti:cacti:0.8.6a:*:*:*:*:*:*:*
    • cpe:2.3:a:cacti:cacti:0.8.6b:*:*:*:*:*:*:*
    • cpe:2.3:a:cacti:cacti:0.8.6c:*:*:*:*:*:*:*
    • cpe:2.3:a:cacti:cacti:0.8.6d:*:*:*:*:*:*:*
    • cpe:2.3:a:cacti:cacti:0.8.6f:*:*:*:*:*:*:*
    • cpe:2.3:a:cacti:cacti:0.8.6g:*:*:*:*:*:*:*
    • cpe:2.3:a:cacti:cacti:0.8.6h:*:*:*:*:*:*:*
    • cpe:2.3:a:cacti:cacti:0.8.6i:*:*:*:*:*:*:*
    • cpe:2.3:a:cacti:cacti:0.8.6j:*:*:*:*:*:*:*
    • cpe:2.3:a:cacti:cacti:0.8.6k:*:*:*:*:*:*:*
    • cpe:2.3:a:cacti:cacti:0.8.7:*:*:*:*:*:*:*
    • cpe:2.3:a:cacti:cacti:0.8.7a:*:*:*:*:*:*:*
    • cpe:2.3:a:cacti:cacti:0.8.7b:*:*:*:*:*:*:*
    • cpe:2.3:a:cacti:cacti:0.8.7c:*:*:*:*:*:*:*
    • cpe:2.3:a:cacti:cacti:0.8.7d:*:*:*:*:*:*:*
  • Cacti (software)/Cactillm-fuzzy
    Range: <0.8.7f

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

10

News mentions

0

No linked articles in our index yet.