Bug 1174850

Summary: VUL-1: cacti: Improper escaping of error message leads to XSS during template import preview
Product: [openSUSE] openSUSE Distribution Reporter: Andreas Stieger <Andreas.Stieger>
Component: SecurityAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Minor    
Priority: P4 - Low CC: rfrohl
Version: Leap 15.2   
Target Milestone: ---   
Hardware: Other   
OS: Other   
Whiteboard:
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Andreas Stieger 2020-08-03 21:34:47 UTC 
Improper escaping of error message leads to XSS during template import preview

https://github.com/Cacti/cacti/issues/3723
https://github.com/Cacti/cacti/commit/39458efcd5286d50e6b7f905fedcdc1059354e6e
Comment 1 OBSbugzilla Bot 2020-08-03 22:20:08 UTC 
This is an autogenerated message for OBS integration:
This bug (1174850) was mentioned in
https://build.opensuse.org/request/show/824224 Factory / cacti
https://build.opensuse.org/request/show/824225 15.1+15.2+Backports:SLE-12 / cacti+cacti-spine
Comment 2 Swamp Workflow Management 2020-08-08 16:13:34 UTC 
openSUSE-RU-2020:1167-1: An update that has one recommended fix can now be installed.

Category: recommended (moderate)
Bug References: 1174850
CVE References: 
JIRA References: 
Sources used:
SUSE Package Hub for SUSE Linux Enterprise 12 (src):    cacti-1.2.14-14.1, cacti-spine-1.2.14-11.1
Comment 3 Swamp Workflow Management 2020-08-08 16:15:28 UTC 
openSUSE-RU-2020:1167-1: An update that has one recommended fix can now be installed.

Category: recommended (moderate)
Bug References: 1174850
CVE References: 
JIRA References: 
Sources used:
openSUSE Leap 15.2 (src):    cacti-1.2.14-lp152.2.6.1, cacti-spine-1.2.14-lp152.2.6.1
openSUSE Leap 15.1 (src):    cacti-1.2.14-lp151.3.15.1, cacti-spine-1.2.14-lp151.3.15.1
SUSE Package Hub for SUSE Linux Enterprise 12 (src):    cacti-1.2.14-14.1, cacti-spine-1.2.14-11.1
Comment 4 Andreas Stieger 2020-08-08 16:39:11 UTC 
Done
Comment 5 Swamp Workflow Management 2020-08-11 16:13:59 UTC 
openSUSE-RU-2020:1180-1: An update that has one recommended fix can now be installed.

Category: recommended (moderate)
Bug References: 1174850
CVE References: 
JIRA References: 
Sources used:
openSUSE Backports SLE-15-SP1 (src):    cacti-1.2.14-bp151.4.15.1, cacti-spine-1.2.14-bp151.4.15.1
Comment 6 Swamp Workflow Management 2020-09-18 16:22:24 UTC 
openSUSE-RU-2020:1233-1: An update that has one recommended fix can now be installed.

Category: recommended (moderate)
Bug References: 1174850
CVE References: 
JIRA References: 
Sources used:
openSUSE Backports SLE-15-SP2 (src):    cacti-1.2.14-bp152.2.4.1, cacti-spine-1.2.14-bp152.2.4.1
Comment 7 Andreas Stieger 2020-11-11 17:57:09 UTC 
*** Bug 1178677 has been marked as a duplicate of this bug. ***
Comment 8 Andreas Stieger 2020-11-11 18:00:08 UTC 
This is CVE-2020-25706