CVE-2020-23226: 
Cacti vulnerability analysis and mitigation

Multiple Cross Site Scripting (XSS) vulnerabilities were discovered in Cacti version 1.2.12 affecting multiple PHP files including reports_admin.php, data_queries.php, data_input.php, graph_templates.php, graphs.php, and reports_admin.php. The vulnerability was assigned CVE-2020-23226 and was discovered in May 2020 (GitHub Issue).

The vulnerability stems from insufficient input validation and output encoding in multiple PHP files within the Cacti application. When exploited, an attacker could inject malicious JavaScript code that would execute in the victim's browser context. The issue was particularly present in various administrative interfaces where user input was not properly sanitized before being displayed back to users (Debian LTS).

The XSS vulnerabilities could lead to information disclosure and potentially allow attackers to perform actions with the privileges of the victim user. When successfully exploited, the attacker could steal session cookies, capture keystrokes, or perform unauthorized actions on behalf of the authenticated user (Debian Security Tracker).

The vulnerability was fixed in subsequent releases of Cacti. Debian released security updates addressing this issue in multiple versions: version 0.8.8h+ds1-10+deb9u2 for Debian 9 (Stretch) and version 1.2.2+ds1-2+deb10u5 for Debian 10 (Buster) (Debian LTS, Debian LTS).