CVE-2023-39515Cross-site Scripting in Cacti

CWE-79Cross-site Scripting6 documents3 sources
Severity
4.8MEDIUMNVD
EPSS
0.3%
top 50.82%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
CactiDebian CactiFedoraproject Fedora
Timeline
PublishedSep 5
Latest updateDec 22

Description

Cacti is an open source operational monitoring and fault management framework. Affected versions are subject to a Stored Cross-Site-Scripting (XSS) Vulnerability allows an authenticated user to poison data stored in the cacti's database. These data will be viewed by administrative cacti accounts and execute JavaScript code in the victim's browser at view-time. The script under `data_debug.php` displays data source related debugging information such as _data source paths, polling settings, meta-d

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:NExploitability: 1.7 | Impact: 2.7

Affected Packages4 packages

NVDcacti/cacti< 1.2.25
debiandebian/cacti< cacti 1.2.24+ds1-1+deb12u2 (bookworm)+1
Debiancacti/cacti< 1.2.16+ds1-2+deb11u2+7
CVEListV5cacti/cacti1.2.25

Also affects: Fedora 37, 38

🔴Vulnerability Details

2
OSV
CVE-2023-49088: Cacti is an open source operational monitoring and fault management framework2023-12-22
OSV
CVE-2023-39515: Cacti is an open source operational monitoring and fault management framework2023-09-05

📋Vendor Advisories

2
Debian
CVE-2023-49088: cacti - Cacti is an open source operational monitoring and fault management framework. T...2023
Debian
CVE-2023-39515: cacti - Cacti is an open source operational monitoring and fault management framework. A...2023