CVE-2020-25706
Description
A cross-site scripting (XSS) vulnerability exists in templates_import.php (Cacti 1.2.13) due to Improper escaping of error message during template import preview in the xml_path field
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
3- Range: 1.2.13
- The Cacti Group, Inc./cactiv5Range: 1.2.13
Patches
Vulnerability mechanics
Root cause
"Improper escaping of user-controlled strings in error messages and display output during template import."
Attack vector
An attacker can craft a malicious template XML file whose `xml_path` field or filename contains JavaScript payloads. When an administrator imports or previews this template, the unsanitized string is rendered in the browser, causing stored XSS [CWE-79]. The attack requires the victim to import the crafted template, but no special network position is needed beyond delivering the file.
Affected code
The vulnerability is in `templates_import.php` (Cacti 1.2.13). Two code paths lack proper escaping: the `xml_to_data_query()` function passes user-controlled `$path` directly into `raise_message()` without HTML escaping, and `import_display_results()` prints `$filename` without `html_escape()` [ref_id=1].
What the fix does
The patch replaces `__()` with `__esc()` in `xml_to_data_query()` so the error message containing the user-supplied `$path` is HTML-escaped. It also wraps `$filename` with `html_escape()` in `import_display_results()` before printing. Both changes ensure that any embedded script tags or HTML are rendered as literal text rather than executed [ref_id=1].
Preconditions
- inputThe victim must import or preview a malicious template XML file.
- inputThe attacker must craft a template with a payload in the xml_path field or filename.
Generated on May 31, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4News mentions
0No linked articles in our index yet.