CVE-2018-20725

An attacker with the ability to edit graph templates can inject arbitrary JavaScript into the "Vertical Label" field. The payload is stored in the database and rendered without HTML escaping when the graph templates page is viewed. The issue reporter provides the example payload `label<img src=xss onerror=alert(1)>` which triggers when visiting `graph_templates.php?action=template_edit&id=1` [ref_id=1]. Any user who visits the affected graph templates page will execute the attacker's script, leading to session hijacking, data theft, or other client-side attacks.

The vulnerability exists in `graph_templates.php` in the Graph Vertical Label field. The issue reporter notes that "there's no escape being done before printing out the value of Vertical Label in the Graphic templates page" [ref_id=1]. The commit that fixes this issue touches multiple files including `data_debug.php` and related functions, but the core XSS is in the template editing form for graph vertical labels [ref_id=2].

The fix applies `html_escape()` to user-controlled values before they are output in HTML context. The commit [ref_id=2] replaces direct string interpolation with calls to `html_escape()` on values such as `$name` and `$issue_line`, and also introduces `form_selectable_ecell()` (likely an escaped variant of `form_selectable_cell()`). These changes ensure that any HTML metacharacters in user-supplied input are encoded, preventing script injection. The advisory does not specify a version, but the issue was reported against Cacti v1.1.38 and fixed before the 1.2.0 release.

1. Log in to Cacti as a user with graph template editing privileges. 2. Navigate to `http://localhost:4040/cacti/graph_templates.php?action=template_edit&id=1`. 3. Set the "Vertical Label" field value to `label<img src=xss onerror=alert(1)>`. 4. Save the template. 5. Visit `http://localhost:4040/cacti/graph_templates.php` — the payload executes in the browser [ref_id=1].