Cacti XSS vulnerability in lib/html.php by reading dirty data stored in database
Description
Cacti provides an operational monitoring and fault management framework. Prior to version 1.2.27, some of the data stored in automation_tree_rules_form_save() function in automation_tree_rules.php is not thoroughly checked and is used to concatenate the HTML statement in form_confirm() function from lib/html.php , finally resulting in cross-site scripting. Version 1.2.27 contains a patch for the issue.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
13<1.2.27+ 1 more
- (no CPE)range: <1.2.27
- (no CPE)range: < 1.2.27
- osv-coords11 versionspkg:rpm/opensuse/cacti&distro=openSUSE%20Leap%2015.5pkg:rpm/opensuse/cacti&distro=openSUSE%20Leap%2015.6pkg:rpm/opensuse/cacti&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/cacti-spine&distro=openSUSE%20Leap%2015.5pkg:rpm/opensuse/cacti-spine&distro=openSUSE%20Leap%2015.6pkg:rpm/suse/cacti&distro=SUSE%20Package%20Hub%2012pkg:rpm/suse/cacti&distro=SUSE%20Package%20Hub%2015%20SP5pkg:rpm/suse/cacti&distro=SUSE%20Package%20Hub%2015%20SP6pkg:rpm/suse/cacti-spine&distro=SUSE%20Package%20Hub%2012pkg:rpm/suse/cacti-spine&distro=SUSE%20Package%20Hub%2015%20SP5pkg:rpm/suse/cacti-spine&distro=SUSE%20Package%20Hub%2015%20SP6
< 1.2.27-bp155.2.9.1+ 10 more
- (no CPE)range: < 1.2.27-bp155.2.9.1
- (no CPE)range: < 1.2.27-bp156.2.3.1
- (no CPE)range: < 1.2.27-1.1
- (no CPE)range: < 1.2.27-bp155.2.9.1
- (no CPE)range: < 1.2.27-bp156.2.3.1
- (no CPE)range: < 1.2.27-bp155.2.9.1
- (no CPE)range: < 1.2.27-bp155.2.9.1
- (no CPE)range: < 1.2.27-bp156.2.3.1
- (no CPE)range: < 1.2.27-bp155.2.9.1
- (no CPE)range: < 1.2.27-bp155.2.9.1
- (no CPE)range: < 1.2.27-bp156.2.3.1
Patches
Vulnerability mechanics
Root cause
"The `name` field stored in the `automation_tree_rules` database table is not sanitized and is later concatenated directly into HTML output without escaping."
Attack vector
An attacker with administrator privileges first submits a crafted `name` parameter containing a JavaScript payload (e.g. `<script>alert(1);</script>`) via a POST to `automation_tree_rules.php` with `action=save`. The payload is stored in the `automation_tree_rules` database table. Subsequently, the attacker triggers a GET request to `automation_tree_rules.php?action=remove&id=4`, which reads the stored payload and passes it unsanitized into `form_confirm()`, causing the script to execute in the victim's browser. [ref_id=1]
Affected code
The vulnerability resides in `automation_tree_rules_form_save()` in `automation_tree_rules.php`, where the `name` field is stored without thorough sanitization. The unsanitized value is later read by `automation_tree_rules_remove()` and passed to `form_confirm()` in `lib/html.php`, where it is concatenated directly into HTML output, enabling stored cross-site scripting.
What the fix does
The patch in version 1.2.27 adds proper sanitization or escaping of the `name` field before it is concatenated into HTML output in `form_confirm()`. By ensuring that user-controllable data is escaped, the fix prevents the injection of arbitrary JavaScript, closing the stored cross-site scripting vector. [ref_id=1]
Preconditions
- authAttacker must have administrator privileges on the Cacti instance
- networkAttacker must be able to send POST requests to automation_tree_rules.php and GET requests to the same endpoint
Reproduction
Send a POST to `automation_tree_rules.php` with `save_component_automation_graph_rule=1`, `action=save`, `id=4`, and `name=<script>alert(1);</script>`. Then send a GET to `automation_tree_rules.php?action=remove&id=4`. The injected script executes when the confirmation page renders. [ref_id=1]
Generated on Jun 14, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2News mentions
0No linked articles in our index yet.