Cacti 1.1.38 allows authenticated users with User Management permissions to inject arbitrary web script or HTML in the «new_username» field during creation of a new user via «Copy» method at user_admin.php.
