Multiple cross-site scripting vulnerabilities in Cacti 0.8.8b allow remote attackers to inject arbitrary web script or HTML via the drp_action parameter to cdef.php, data_input.php, data_queries.php, data_sources.php, data_templates.php, graph_templates.php, graphs.php, host.php, or host_templates.php or the graph_template_input_id or graph_template_id parameter to graph_templates_inputs.php.