CVE-2013-2618

Vulnerability

Network Weathermap before version 0.97b contains a persistent cross-site scripting (XSS) vulnerability in editor.php. The map_title parameter is not sanitized, allowing injection of arbitrary HTML and JavaScript [1][2]. The injected payload is stored and later displayed when listing maps via editor.php?action=newfile or in the Cacti plugin interface [1]. Versions before 0.97b are affected.

Exploitation

An attacker must have network access to the Weathermap web interface and the ability to create or edit a map. The attack requires no special privileges; any user with access to the map editor can perform it. The attacker sends a POST request to editor.php with a malicious map_title parameter. For example, using the payload `` [1][2]. The payload is stored and triggers when any user views the map list.

Impact

Successful exploitation leads to persistent XSS, allowing the attacker to execute arbitrary JavaScript in the context of the victim's browser. This can result in session hijacking, cookie theft, defacement, or further attacks on the application and its users. If Weathermap is used as a plugin for Cacti, the attacker may also exploit Cacti via the vulnerable interface [1][2].

Mitigation

The vulnerability is fixed in version 0.97b [1][2]. Users should upgrade to the latest version. If upgrading is not immediately possible, ensure that only trusted users have access to the map editor and restrict network access to the Weathermap interface. No workaround details are provided by the vendor.