CVE-2018-10059
Cacti before 1.1.37 is affected by a cross-site scripting (XSS) flaw. The get_current_page function in lib/functions.php uses $_SERVER['PHP_SELF'] to determine the page name instead of $_SERVER['SCRIPT_NAME'], enabling script injection via the page name. Evidence across multiple sources (NVD entr...