The host is installed with Cacti before 1.2.25 and is prone to a stored cross-site-scripting (XSS) vulnerability, data source path and stored xss attack against any user of the same (or broader) privileges vulnerability. A flaw is present in the application, which fails to handle a malicious device name. Successful exploitation allows an authenticated attacker to poison data stored in the cacti's database, which will be viewed by administrative cacti accounts and execute JavaScript code in the victim's browser at view-time.