Summary
cycle.php:312 echoes $leaf['title'] (from the database) and cycle.php:323 echoes $rfilter (from a request variable) into HTML without html_escape(). Either value can contain HTML/JavaScript that executes in the browser of authenticated users viewing the plugin.
Details
| Field |
Value |
| File |
cycle.php |
| Lines |
312, 323 |
| Auth required |
Yes — authenticated Cacti user |
| CWE |
CWE-79 |
// Line 312 — before
echo $leaf['title'];
// after
echo html_escape($leaf['title']);
// Line 323 — before
value="<?php echo $rfilter; ?>"
// after
value="<?php echo html_escape($rfilter); ?>"
Fix applied in branch security/cycle-html-escape-output.
Acceptance criteria
Summary
cycle.php:312echoes$leaf['title'](from the database) andcycle.php:323echoes$rfilter(from a request variable) into HTML withouthtml_escape(). Either value can contain HTML/JavaScript that executes in the browser of authenticated users viewing the plugin.Details
Fix applied in branch
security/cycle-html-escape-output.Acceptance criteria
html_escape()applied to$leaf['title']at line 312html_escape()applied to$rfilterat line 323tests/Security/CycleParamTest.php