CVE-2018-20724
Description
A cross-site scripting (XSS) vulnerability exists in pollers.php in Cacti before 1.2.0 due to lack of escaping of unintended characters in the Website Hostname for Data Collectors.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
9release/1.0.0, release/1.0.1, release/1.0.2, …+ 1 more
- (no CPE)range: release/1.0.0, release/1.0.1, release/1.0.2, …
- (no CPE)range: <1.2.0
- osv-coords7 versionspkg:rpm/opensuse/cacti&distro=openSUSE%20Leap%2015.1pkg:rpm/opensuse/cacti&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/cacti-spine&distro=openSUSE%20Leap%2015.1pkg:rpm/suse/cacti&distro=SUSE%20Package%20Hub%2012pkg:rpm/suse/cacti&distro=SUSE%20Package%20Hub%2015%20SP1pkg:rpm/suse/cacti-spine&distro=SUSE%20Package%20Hub%2012pkg:rpm/suse/cacti-spine&distro=SUSE%20Package%20Hub%2015%20SP1
< 1.2.9-lp151.3.3.1+ 6 more
- (no CPE)range: < 1.2.9-lp151.3.3.1
- (no CPE)range: < 1.2.18-1.2
- (no CPE)range: < 1.2.9-lp151.3.3.1
- (no CPE)range: < 1.2.11-5.1
- (no CPE)range: < 1.2.9-bp151.4.3.1
- (no CPE)range: < 1.2.11-2.1
- (no CPE)range: < 1.2.9-bp151.4.3.1
Patches
Vulnerability mechanics
Root cause
"Missing HTML escaping of the hostname value before rendering in the Data Collectors table allows stored cross-site scripting."
Attack vector
An attacker with access to edit a Data Collector's settings can inject arbitrary HTML/JavaScript into the "Website Hostname" field. The payload is stored in the database and, when any user visits `pollers.php`, the unescaped hostname value is rendered in the Data Collectors table, causing the script to execute in the victim's browser [ref_id=1]. The researcher demonstrated this with the payload `<img src=xss onerror=alert(1)>` [ref_id=1].
Affected code
The vulnerable code is in `pollers.php` in the `form_selectable_cell` call that outputs the hostname value. The patch shows the fix at line 852, where `$poller['hostname']` was passed directly without escaping [ref_id=2].
What the fix does
The patch wraps `$poller['hostname']` with `html_escape()` before passing it to `form_selectable_cell` [ref_id=2]. This ensures that any HTML special characters (such as `<`, `>`, and `"`) in the hostname value are encoded as safe HTML entities, preventing the browser from interpreting attacker-supplied markup as executable code.
Preconditions
- authAttacker must have access to edit a Data Collector's settings (e.g., via pollers.php?action=edit&id=N)
- inputA victim user must visit pollers.php to view the Data Collectors table
Reproduction
1. Navigate to `http://localhost/cacti/pollers.php?action=edit&id=1` and set the Hostname field value to `<img src=xss onerror=alert(1)>`. 2. Visit `http://localhost/cacti/pollers.php` — the payload executes in the browser [ref_id=1].
Generated on May 26, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
7- lists.opensuse.org/opensuse-security-announce/2020-03/msg00001.htmlmitrevendor-advisoryx_refsource_SUSE
- lists.opensuse.org/opensuse-security-announce/2020-03/msg00005.htmlmitrevendor-advisoryx_refsource_SUSE
- lists.opensuse.org/opensuse-security-announce/2020-04/msg00042.htmlmitrevendor-advisoryx_refsource_SUSE
- lists.opensuse.org/opensuse-security-announce/2020-04/msg00048.htmlmitrevendor-advisoryx_refsource_SUSE
- github.com/Cacti/cacti/blob/develop/CHANGELOGmitrex_refsource_MISC
- github.com/Cacti/cacti/commit/1f42478506d83d188f68ce5ff41728a7bd159f53mitrex_refsource_MISC
- github.com/Cacti/cacti/issues/2212mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.