CVE-2023-50250Cross-site Scripting in Cacti

CWE-79Cross-site Scripting6 documents3 sources
Severity
6.1MEDIUMNVD
NVD4.7
EPSS
3.6%
top 12.22%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
CactiDebian CactiFedoraproject Fedora
Timeline
PublishedDec 22
Latest updateMay 14

Description

Cacti is an open source operational monitoring and fault management framework. A reflection cross-site scripting vulnerability was discovered in version 1.2.25. Attackers can exploit this vulnerability to perform actions on behalf of other users. The vulnerability is found in `templates_import.php.` When uploading an xml template file, if the XML file does not pass the check, the server will give a JavaScript pop-up prompt, which contains unfiltered xml template file name, resulting in XSS. An a

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages4 packages

CVEListV5cacti/cacti< 1.2.27
NVDcacti/cacti< 1.2.27+1
debiandebian/cacti< cacti 1.2.24+ds1-1+deb12u2 (bookworm)+1
Debiancacti/cacti< 1.2.24+ds1-1+deb12u2+5

Also affects: Fedora 39

🔴Vulnerability Details

2
OSV
CVE-2024-29894: Cacti provides an operational monitoring and fault management framework2024-05-14
OSV
CVE-2023-50250: Cacti is an open source operational monitoring and fault management framework2023-12-22

📋Vendor Advisories

2
Debian
CVE-2024-29894: cacti - Cacti provides an operational monitoring and fault management framework. Version...2024
Debian
CVE-2023-50250: cacti - Cacti is an open source operational monitoring and fault management framework. A...2023