CVE-2025-45160

CVE-2025-45160.md

CVE-2025-45160 – HTML Injection in Cacti Authenticated Template Upload

Description

A HTML injection vulnerability exists in the file upload functionality of Cacti <= 1.2.29. When a file with an invalid format is uploaded, the application reflects the submitted filename back into an error popup without proper sanitization. As a result, attackers can inject arbitrary HTML elements (e.g., <h1>, <b>, <svg>) into the rendered page.

Proof of Concept

1. Login to the application.
2. Navigate to the file upload interface.
3. Upload a file with invalid content (File content may be empty) and provide the following file name: <h1>HACK.xml
4. Upon submission, the application displays a popup error including the unsanitized filename.
5. The <h1> tag is rendered in the popup, altering the layout and potentially misleading the user.

Impact

While this does not allow JavaScript execution (i.e., no XSS), it constitutes an HTML Injection vulnerability that could be used to alter the DOM, perform UI redressing, or launch social engineering attacks.

Affected Component

• Authenticated Template File Upload Endpoint - Error Handling
• POST /templates_import.php?preview_only=true

Vulnerable Parameter

• filename

Vulnerability Type

• HTML Injection

Affected Product

• Cacti
• Versions: <= 1.2.29
• Vendor: https://github.com/Cacti/cacti

Discoverer

• Dogus Demirkiran

Reference

• http://cacti.com
• https://github.com/Cacti/cacti

Hello Dogus,
Based on our tests and Cacti tests, this CVE does not impact 1.2.29 or higher.

Cacti answered this does not affect anything beyond 1.2.27 after they introduced the DomPurify.

Can you please recheck on your side with a clean install of Cacti ?
Thanks
Wil - CERT Orange Cyberdefense

Hello Wil,
This vulnerability is indeed a very low-severity HTML injection issue. I understand that you might have thought, "Why would you request a CVE for something this simple?" - fair point, lol. Nevertheless, I retested the case and can confirm that the HTML injection described here does exist.

The root cause of the vulnerability occurs in the file name handling and during the POST operation, and it is not an XSS issue. If it were a real XSS vulnerability, it would no longer be a flaw in Cacti itself; instead, it would point to a weakness in DOMPurify, since DOMPurify is used during rendering. So we can reasonably consider this a simple mistake caused by printing the file name without proper handling inside Cacti.
If there is any misunderstanding or anything that needs clarification, I’m more than happy to correct it.
Thank you.

Hello @BEND0US
Thanks a lot for your detailed reply ^_^
My post was not really to debate if a CVE is needed or not ; not at all :)

But the payload you mentioned does not impact a user ; when any payload is sanitized and not executed right ? At least it is not working in any Cacti versions from 1.2.17 when Dompurify has been implemented. Not working on my side (no popup) ; and on Cacti side as well.

Thanks for your answer.
Best,
Wil

@z00z00z00 I triggered the vulnerability by creating a file that causes an error during XML parsing and then renaming this file to <h1>aaaa.xml before importing it. I have also attached several screenshots for your reference. If you are unable to reproduce the issue on your side, please let me know