VYPR
← All advisories
Unrated severityNVD Advisory· Published Aug 23, 2010· Updated Apr 29, 2026

CVE-2010-2543

CVE-2010-2543

Description

Cross-site scripting (XSS) vulnerability in include/top_graph_header.php in Cacti before 0.8.7g allows remote attackers to inject arbitrary web script or HTML via the graph_start parameter to graph.php. NOTE: this vulnerability exists because of an incorrect fix for CVE-2009-4032.2.b.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A reflected XSS in Cacti's graph.php via the graph_start parameter bypasses an incomplete fix for CVE-2009-4032, affecting versions before 0.8.7g.

Vulnerability

A reflected cross-site scripting (XSS) vulnerability exists in the include/top_graph_header.php component of Cacti before version 0.8.7g. The graph_start parameter passed to graph.php is not properly sanitized, allowing an attacker to inject arbitrary web script or HTML. This vulnerability represents an incomplete fix for a previously identified XSS issue (CVE-2009-4032), specifically the "XSS 4" vector that was not addressed in earlier patches [1][2][3].

Exploitation

An attacker can trigger the vulnerability by sending a crafted HTTP request to graph.php with a malicious graph_start parameter. The attack requires no authentication and can be delivered via a link or by embedding the malicious URL in a third-party site, tricking a victim into clicking it. No special network position or user interaction beyond clicking the link is needed [1][2][3].

Impact

Successful exploitation allows an attacker to execute arbitrary JavaScript in the context of the victim's browser session on the affected Cacti site. This can lead to theft of cookies, session hijacking, defacement of the page, or redirection to attacker-controlled content. The attacker does not gain elevated server-side privileges; the impact is limited to the client-side session [1][2][3].

Mitigation

The issue is fixed in Cacti version 0.8.7g, released on or around July 2010. Administrators should upgrade to 0.8.7g or later. No workarounds are documented in the available references. The fix is included in the SVN revision 6025 [2][3]. For distributions such as Fedora and EPEL, updated packages were pushed to stable repositories (e.g., cacti-0.8.7e-3 for older releases) [1].

References
  1. 541279 – (CVE-2009-4032, CVE-2010-2543) CVE-2009-4032 CVE-2010-2543 cacti: Multiple cross-site scripting flaws
  2. 'Re: [oss-security] Cacti XSS fixes in 0.8.7g'
  3. '[oss-security] Cacti XSS fixes in 0.8.7g'

AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

39
  • Cacti (software)/Cacti39 versions
    cpe:2.3:a:cacti:cacti:*:*:*:*:*:*:*:*+ 38 more
    • cpe:2.3:a:cacti:cacti:*:*:*:*:*:*:*:*range: <=0.8.7f
    • cpe:2.3:a:cacti:cacti:0.5:-:*:*:*:*:*:*
    • cpe:2.3:a:cacti:cacti:0.6:*:*:*:*:*:*:*
    • cpe:2.3:a:cacti:cacti:0.6.1:*:*:*:*:*:*:*
    • cpe:2.3:a:cacti:cacti:0.6.2:*:*:*:*:*:*:*
    • cpe:2.3:a:cacti:cacti:0.6.3:*:*:*:*:*:*:*
    • cpe:2.3:a:cacti:cacti:0.6.4:*:*:*:*:*:*:*
    • cpe:2.3:a:cacti:cacti:0.6.5:*:*:*:*:*:*:*
    • cpe:2.3:a:cacti:cacti:0.6.6:*:*:*:*:*:*:*
    • cpe:2.3:a:cacti:cacti:0.6.7:*:*:*:*:*:*:*
    • cpe:2.3:a:cacti:cacti:0.6.8:*:*:*:*:*:*:*
    • cpe:2.3:a:cacti:cacti:0.6.8a:*:*:*:*:*:*:*
    • cpe:2.3:a:cacti:cacti:0.8:*:*:*:*:*:*:*
    • cpe:2.3:a:cacti:cacti:0.8.1:*:*:*:*:*:*:*
    • cpe:2.3:a:cacti:cacti:0.8.2:*:*:*:*:*:*:*
    • cpe:2.3:a:cacti:cacti:0.8.2a:*:*:*:*:*:*:*
    • cpe:2.3:a:cacti:cacti:0.8.3:*:*:*:*:*:*:*
    • cpe:2.3:a:cacti:cacti:0.8.3a:*:*:*:*:*:*:*
    • cpe:2.3:a:cacti:cacti:0.8.4:*:*:*:*:*:*:*
    • cpe:2.3:a:cacti:cacti:0.8.5:*:*:*:*:*:*:*
    • cpe:2.3:a:cacti:cacti:0.8.5a:*:*:*:*:*:*:*
    • cpe:2.3:a:cacti:cacti:0.8.6:*:*:*:*:*:*:*
    • cpe:2.3:a:cacti:cacti:0.8.6a:*:*:*:*:*:*:*
    • cpe:2.3:a:cacti:cacti:0.8.6b:*:*:*:*:*:*:*
    • cpe:2.3:a:cacti:cacti:0.8.6c:*:*:*:*:*:*:*
    • cpe:2.3:a:cacti:cacti:0.8.6d:*:*:*:*:*:*:*
    • cpe:2.3:a:cacti:cacti:0.8.6f:*:*:*:*:*:*:*
    • cpe:2.3:a:cacti:cacti:0.8.6g:*:*:*:*:*:*:*
    • cpe:2.3:a:cacti:cacti:0.8.6h:*:*:*:*:*:*:*
    • cpe:2.3:a:cacti:cacti:0.8.6i:*:*:*:*:*:*:*
    • cpe:2.3:a:cacti:cacti:0.8.6j:*:*:*:*:*:*:*
    • cpe:2.3:a:cacti:cacti:0.8.6k:*:*:*:*:*:*:*
    • cpe:2.3:a:cacti:cacti:0.8.7:*:*:*:*:*:*:*
    • cpe:2.3:a:cacti:cacti:0.8.7a:*:*:*:*:*:*:*
    • cpe:2.3:a:cacti:cacti:0.8.7b:*:*:*:*:*:*:*
    • cpe:2.3:a:cacti:cacti:0.8.7c:*:*:*:*:*:*:*
    • cpe:2.3:a:cacti:cacti:0.8.7d:*:*:*:*:*:*:*
    • cpe:2.3:a:cacti:cacti:0.8.7e:*:*:*:*:*:*:*
    • (no CPE)range: <0.8.7g

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

7

News mentions

0

No linked articles in our index yet.