Cacti is an open source operational monitoring and fault management framework. Affected versions are subject to a Stored Cross-Site-Scripting (XSS) Vulnerability allows an authenticated user to poison data stored in the _cacti_'s database. These data will be viewed by administrative _cacti_ accounts and execute JavaScript code in the victim's browser at view-time. The `data_sources.php` script displays the data source management information (e.g. data source path, polling configuration etc.) for different data visualizations of the _cacti_ app.
CENSUS found that an adversary that is able to configure a malicious Device name, can deploy a stored XSS attack against any user of the same (or broader) privileges. A user that possesses the _General Administration>Sites/Devices/Data_ permissions can configure the device names in _cacti_. This configuration occurs through `http://<HOST>/cacti/host.php`, while the rendered malicious payload is exhibited at `http://<HOST>/cacti/data_sources.php`. This vulnerability has been addressed in version 1.2.25. Users are advised to upgrade. Users unable to update should manually filter HTML output.
References
Configurations
History
21 Nov 2024, 08:15
| Type | Values Removed | Values Added |
|---|---|---|
| CVSS |
v2 : v3 : |
v2 : unknown
v3 : 6.1 |
| References | () https://github.com/Cacti/cacti/security/advisories/GHSA-rwhh-xxm6-vcrv - Exploit, Vendor Advisory | |
| References | () https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CFH3J2WVBKY4ZJNMARVOWJQK6PSLPHFH/ - Mailing List | |
| References | () https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WOQFYGLZBAWT4AWNMO7DU73QXWPXTCKH/ - | |
| References | () https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WZGB2UXJEUYWWA6IWVFQ3ZTP22FIHMGN/ - Mailing List | |
| References | () https://www.debian.org/security/2023/dsa-5550 - |
09 Nov 2023, 05:15
| Type | Values Removed | Values Added |
|---|---|---|
| References |
|
03 Nov 2023, 21:15
| Type | Values Removed | Values Added |
|---|---|---|
| References |
|
20 Oct 2023, 19:23
| Type | Values Removed | Values Added |
|---|---|---|
| References | (MISC) https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CFH3J2WVBKY4ZJNMARVOWJQK6PSLPHFH/ - Mailing List | |
| References | (MISC) https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WZGB2UXJEUYWWA6IWVFQ3ZTP22FIHMGN/ - Mailing List | |
| CPE | cpe:2.3:o:fedoraproject:fedora:37:*:*:*:*:*:*:* cpe:2.3:o:fedoraproject:fedora:38:*:*:*:*:*:*:* |
|
| First Time |
Fedoraproject
Fedoraproject fedora |
13 Oct 2023, 04:15
| Type | Values Removed | Values Added |
|---|---|---|
| References |
|
08 Sep 2023, 17:42
| Type | Values Removed | Values Added |
|---|---|---|
| References | (MISC) https://github.com/Cacti/cacti/security/advisories/GHSA-rwhh-xxm6-vcrv - Exploit, Vendor Advisory | |
| CVSS |
v2 : v3 : |
v2 : unknown
v3 : 4.8 |
| CPE | cpe:2.3:a:cacti:cacti:*:*:*:*:*:*:*:* | |
| First Time |
Cacti
Cacti cacti |
05 Sep 2023, 21:15
| Type | Values Removed | Values Added |
|---|---|---|
| New CVE |
Information
Published : 2023-09-05 21:15
Updated : 2024-11-21 08:15
NVD link : CVE-2023-39366
Mitre link : CVE-2023-39366
CVE.ORG link : CVE-2023-39366
JSON object : View
Products Affected
fedoraproject
- fedora
cacti
- cacti
CWE
CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')