Cross-site Scripting (XSS) - Stored in cacti/cacti


Reported on

Jan 1st 2022


Hi there cacti maintainer team, I would like to report a stored XSS in cacti source code. It is due to unsanitized error message in synchronizing aggregates for color.

Proof of Concept

  1. Install a cacti instance in your local
  2. Go to Color and create a color with name <img src=a onerror=alert(document.cookie)>
  3. Back to color list, click on a color and select action Sync Aggregates, then click Continue
  4. See that an XSS is triggered and a pop up appears with your session cookie in it.


This vulnerability is capable of stored XSS.

We are processing your report and will contact the cacti team within 24 hours. a year ago
We have contacted a member of the cacti team and are waiting to hear back a year ago
cacti/cacti maintainer
a year ago

Master branch is not really used, but I have tested this against the 1.2.X branch and it is valid.

cacti/cacti maintainer validated this vulnerability a year ago
M0rphling has been awarded the disclosure bounty
The fix bounty is now up for grabs
cacti/cacti maintainer
a year ago

Resolved in input is now sanitized

Jimmy Conner marked this as fixed in 1.2.20 with commit 0c05f6 a year ago
Jimmy Conner has been awarded the fix bounty
This vulnerability will not receive a CVE
a year ago


Thanks Jimmy Conner.

to join this conversation