CVE-2023-39360Cross-site Scripting in Cacti

CWE-79Cross-site Scripting6 documents3 sources
Severity
6.1MEDIUMNVD
NVD5.4
EPSS
0.6%
top 29.70%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
CactiDebian CactiFedoraproject Fedora
Timeline
PublishedSep 5
Latest updateDec 22

Description

Cacti is an open source operational monitoring and fault management framework.Affected versions are subject to a Stored Cross-Site-Scripting (XSS) Vulnerability allows an authenticated user to poison data. The vulnerability is found in `graphs_new.php`. Several validations are performed, but the `returnto` parameter is directly passed to `form_save_button`. In order to bypass this validation, returnto must contain `host.php`. This vulnerability has been addressed in version 1.2.25. Users are adv

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages4 packages

CVEListV5cacti/cacti< 1.2.27
debiandebian/cacti< cacti 1.2.24+ds1-1+deb12u2 (bookworm)
Debiancacti/cacti< 1.2.16+ds1-2+deb11u3+5
NVDcacti/cacti1.2.24, 1.2.25+1

Also affects: Fedora 37, 38

🔴Vulnerability Details

2
OSV
CVE-2023-49086: Cacti is a robust performance and fault management framework and a frontend to RRDTool - a Time Series Database (TSDB)2023-12-22
OSV
CVE-2023-39360: Cacti is an open source operational monitoring and fault management framework2023-09-05

📋Vendor Advisories

2
Debian
CVE-2023-49086: cacti - Cacti is a robust performance and fault management framework and a frontend to R...2023
Debian
CVE-2023-39360: cacti - Cacti is an open source operational monitoring and fault management framework.Af...2023