xss in spikekill.php via para method

Question

xss in spikekill.php via para method

kevinoclam opened this issue 7 years ago · comments

it's not a high level vuln, maybe medium or low
line 37
echo __("FATAL: Spike Kill method '%s' is Invalid\n", get_nfilter_request_var('method'));
should change into
echo __("FATAL: Spike Kill method '%s' is Invalid\n", htmlspecialchars(get_nfilter_request_var('method')));

I should found this at issue 877, I'm sorry for the delay

chen ruiqi
codesafe team of qihoo 360

Jimmy Conner · Answer 1 · Tue Aug 15 2017 19:14:53 GMT+0800 (China Standard Time)

Resolved. Thanks for making Cacti a better tool!

Salvatore Bonaccorso · Answer 2 · Fri Aug 18 2017 13:05:54 GMT+0800 (China Standard Time)

This issue has been assigned CVE-2017-12927