CVE-2020-7106
Description
Cacti 1.2.8 has stored XSS in data_sources.php, color_templates_item.php, graphs.php, graph_items.php, lib/api_automation.php, user_admin.php, and user_group_admin.php, as demonstrated by the description parameter in data_sources.php (a raw string from the database that is displayed by $header to trigger the XSS).
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
9- Cacti/Cactidescription
- Range: =1.2.8
- osv-coords7 versionspkg:rpm/opensuse/cacti&distro=openSUSE%20Leap%2015.1pkg:rpm/opensuse/cacti&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/cacti-spine&distro=openSUSE%20Leap%2015.1pkg:rpm/suse/cacti&distro=SUSE%20Package%20Hub%2012pkg:rpm/suse/cacti&distro=SUSE%20Package%20Hub%2015%20SP1pkg:rpm/suse/cacti-spine&distro=SUSE%20Package%20Hub%2012pkg:rpm/suse/cacti-spine&distro=SUSE%20Package%20Hub%2015%20SP1
< 1.2.9-lp151.3.3.1+ 6 more
- (no CPE)range: < 1.2.9-lp151.3.3.1
- (no CPE)range: < 1.2.18-1.2
- (no CPE)range: < 1.2.9-lp151.3.3.1
- (no CPE)range: < 1.2.11-5.1
- (no CPE)range: < 1.2.12-bp151.4.9.1
- (no CPE)range: < 1.2.11-2.1
- (no CPE)range: < 1.2.12-bp151.4.9.1
Patches
Vulnerability mechanics
Root cause
"Missing output escaping on multiple pages allows stored XSS via user-supplied fields such as the description parameter."
Attack vector
An attacker navigates to Console -> Create -> New Device and embeds a script payload (e.g., `
Affected code
The vulnerability affects multiple Cacti pages including data_sources.php, color_templates_item.php, graphs.php, graph_items.php, lib/api_automation.php, user_admin.php, and user_group_admin.php [ref_id=1]. The description parameter in data_sources.php is a primary example: a raw string from the database is displayed by $header without proper escaping, triggering stored XSS [ref_id=1].
What the fix does
The advisory does not include a patch diff, but the root cause is a lack of output escaping on multiple pages that display user-supplied data from the database [ref_id=1]. The remediation would require applying proper HTML escaping (e.g., htmlspecialchars or equivalent) to fields such as the description parameter before they are rendered by $header in data_sources.php and similar locations across the other affected files [ref_id=1].
Preconditions
- authAttacker must have access to create or edit a device (or other entity) on the Cacti console
- inputThe application must store the attacker-supplied payload in the database without sanitization
Reproduction
Navigate to Console -> Create -> New Device. In the Description field, input the script payload `
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
11- lists.opensuse.org/opensuse-security-announce/2020-03/msg00001.htmlmitrevendor-advisoryx_refsource_SUSE
- lists.opensuse.org/opensuse-security-announce/2020-03/msg00005.htmlmitrevendor-advisoryx_refsource_SUSE
- lists.opensuse.org/opensuse-security-announce/2020-04/msg00042.htmlmitrevendor-advisoryx_refsource_SUSE
- lists.opensuse.org/opensuse-security-announce/2020-04/msg00048.htmlmitrevendor-advisoryx_refsource_SUSE
- lists.opensuse.org/opensuse-security-announce/2020-05/msg00032.htmlmitrevendor-advisoryx_refsource_SUSE
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SUSOTOIEJKD2IWJHN7TY56TDZJQZJUVJ/mitrevendor-advisoryx_refsource_FEDORA
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XLZAMGTW2OSIBLYLXWHQBGWP7M4DTRS7/mitrevendor-advisoryx_refsource_FEDORA
- security.gentoo.org/glsa/202003-40mitrevendor-advisoryx_refsource_GENTOO
- github.com/Cacti/cacti/issues/3191mitrex_refsource_MISC
- lists.debian.org/debian-lts-announce/2020/01/msg00014.htmlmitremailing-listx_refsource_MLIST
- lists.debian.org/debian-lts-announce/2022/03/msg00038.htmlmitremailing-listx_refsource_MLIST
News mentions
0No linked articles in our index yet.