Cross-Site Scripting vulnerability when Import xml template file
Description
Cacti is an open source operational monitoring and fault management framework. A reflection cross-site scripting vulnerability was discovered in version 1.2.25. Attackers can exploit this vulnerability to perform actions on behalf of other users. The vulnerability is found in templates_import.php. When uploading an xml template file, if the XML file does not pass the check, the server will give a JavaScript pop-up prompt, which contains unfiltered xml template file name, resulting in XSS. An attacker exploiting this vulnerability could execute actions on behalf of other users. This ability to impersonate users could lead to unauthorized changes to settings. As of time of publication, no patched versions are available.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
9= 1.2.25+ 1 more
- (no CPE)range: = 1.2.25
- (no CPE)range: <= 1.2.25
- osv-coords7 versionspkg:rpm/opensuse/cacti&distro=openSUSE%20Leap%2015.5pkg:rpm/opensuse/cacti&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/cacti-spine&distro=openSUSE%20Leap%2015.5pkg:rpm/suse/cacti&distro=SUSE%20Package%20Hub%2012pkg:rpm/suse/cacti&distro=SUSE%20Package%20Hub%2015%20SP5pkg:rpm/suse/cacti-spine&distro=SUSE%20Package%20Hub%2012pkg:rpm/suse/cacti-spine&distro=SUSE%20Package%20Hub%2015%20SP5
< 1.2.26-bp155.2.6.1+ 6 more
- (no CPE)range: < 1.2.26-bp155.2.6.1
- (no CPE)range: < 1.2.26-1.1
- (no CPE)range: < 1.2.26-bp155.2.6.1
- (no CPE)range: < 1.2.26-bp155.2.6.1
- (no CPE)range: < 1.2.26-bp155.2.6.1
- (no CPE)range: < 1.2.26-bp155.2.6.1
- (no CPE)range: < 1.2.26-bp155.2.6.1
Patches
Vulnerability mechanics
Root cause
"The application fails to sanitize the filename of an uploaded XML template before displaying it in a JavaScript alert."
Attack vector
An attacker can upload a crafted XML template file with a malicious filename containing JavaScript code. When this file fails validation during the import process, the application displays the filename in a JavaScript pop-up prompt without proper sanitization. This results in the execution of arbitrary JavaScript in the context of the victim user's browser [ref_id=1].
Affected code
The vulnerability resides in the `templates_import.php` file. Specifically, the `raise_message_javascript()` function is used to display error messages, including the filename of the uploaded XML template, which is not properly escaped before being embedded in a JavaScript string [ref_id=1].
What the fix does
As of the time of publication, no patched versions are available. The advisory recommends reviewing the XML file for proper syntax and checking the cacti.log for more information regarding import failures [ref_id=1].
Preconditions
- authThe attacker must be logged into Cacti.
- networkThe attacker must be able to access the Cacti web interface.
Reproduction
1. Log in to Cacti. 2. Navigate to "http://ip/cacti/templates_import.php". 3. Prepare an empty XML file named ';alert(1);var xx = '.xml'. 4. Upload this file.
Generated on Jun 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
3- github.com/Cacti/cacti/blob/5f6f65c215d663a775950b2d9db35edbaf07d680/templates_import.phpmitrex_refsource_MISC
- github.com/Cacti/cacti/security/advisories/GHSA-xwqc-7jc4-xm73mitrex_refsource_CONFIRM
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RBEOAFKRARQHTDIYSL723XAFJ2Q6624X/mitre
News mentions
0No linked articles in our index yet.