Launchpad.net

CVE 2018-10059

Cacti before 1.1.37 has XSS because the get_current_page function in lib/functions.php relies on $_SERVER['PHP_SELF'] instead of $_SERVER['SCRIPT_NAME'] to determine a page name.

See the CVE page on Mitre.org for more details.