Cacti is an open source operational monitoring and fault management framework. Affected versions are subject to a Stored Cross-Site-Scripting (XSS) Vulnerability which allows an authenticated user to poison data stored in the _cacti_'s database. These data will be viewed by administrative _cacti_ accounts and execute JavaScript code in the victim's browser at view-time. The script under `graphs.php` displays graph details such as data-source paths, data template information and graph related fields. _CENSUS_ found that an adversary that is able to configure either a data-source template with malicious code appended in the data-source name or a device with a malicious payload injected in the device name, may deploy a stored XSS attack against any user with _General Administration>Graphs_ privileges. A user that possesses the _Template Editor>Data Templates_ permissions can configure the data-source name in _cacti_. Please note that this may be a _low privileged_ user. This configuration occurs through `http://<HOST>/cacti/data_templates.php` by editing an existing or adding a new data template. If a template is linked to a graph then the formatted template name will be rendered in the graph's management page. A user that possesses the _General Administration>Sites/Devices/Data_ permissions can configure the device name in _cacti_. This vulnerability has been addressed in version 1.2.25. Users are advised to upgrade. Users unable to upgrade should add manual HTML escaping.
References
Configurations
History
10 Apr 2025, 20:54
| Type | Values Removed | Values Added |
|---|---|---|
| References | () https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WOQFYGLZBAWT4AWNMO7DU73QXWPXTCKH/ - Mailing List | |
| References | () https://www.debian.org/security/2023/dsa-5550 - Mailing List |
13 Feb 2025, 17:16
| Type | Values Removed | Values Added |
|---|---|---|
| Summary | (en) Cacti is an open source operational monitoring and fault management framework. Affected versions are subject to a Stored Cross-Site-Scripting (XSS) Vulnerability which allows an authenticated user to poison data stored in the _cacti_'s database. These data will be viewed by administrative _cacti_ accounts and execute JavaScript code in the victim's browser at view-time. The script under `graphs.php` displays graph details such as data-source paths, data template information and graph related fields. _CENSUS_ found that an adversary that is able to configure either a data-source template with malicious code appended in the data-source name or a device with a malicious payload injected in the device name, may deploy a stored XSS attack against any user with _General Administration>Graphs_ privileges. A user that possesses the _Template Editor>Data Templates_ permissions can configure the data-source name in _cacti_. Please note that this may be a _low privileged_ user. This configuration occurs through `http://<HOST>/cacti/data_templates.php` by editing an existing or adding a new data template. If a template is linked to a graph then the formatted template name will be rendered in the graph's management page. A user that possesses the _General Administration>Sites/Devices/Data_ permissions can configure the device name in _cacti_. This vulnerability has been addressed in version 1.2.25. Users are advised to upgrade. Users unable to upgrade should add manual HTML escaping. |
21 Nov 2024, 08:15
| Type | Values Removed | Values Added |
|---|---|---|
| CVSS |
v2 : v3 : |
v2 : unknown
v3 : 6.1 |
| References | () https://github.com/Cacti/cacti/security/advisories/GHSA-6hrc-2cfc-8hm7 - Exploit, Vendor Advisory | |
| References | () https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CFH3J2WVBKY4ZJNMARVOWJQK6PSLPHFH/ - Mailing List | |
| References | () https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WOQFYGLZBAWT4AWNMO7DU73QXWPXTCKH/ - | |
| References | () https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WZGB2UXJEUYWWA6IWVFQ3ZTP22FIHMGN/ - Mailing List | |
| References | () https://www.debian.org/security/2023/dsa-5550 - |
09 Nov 2023, 05:15
| Type | Values Removed | Values Added |
|---|---|---|
| References |
|
03 Nov 2023, 21:15
| Type | Values Removed | Values Added |
|---|---|---|
| References |
|
20 Oct 2023, 19:51
| Type | Values Removed | Values Added |
|---|---|---|
| CPE | cpe:2.3:o:fedoraproject:fedora:37:*:*:*:*:*:*:* cpe:2.3:o:fedoraproject:fedora:38:*:*:*:*:*:*:* |
|
| First Time |
Fedoraproject fedora
Fedoraproject |
|
| References | (MISC) https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CFH3J2WVBKY4ZJNMARVOWJQK6PSLPHFH/ - Mailing List | |
| References | (MISC) https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WZGB2UXJEUYWWA6IWVFQ3ZTP22FIHMGN/ - Mailing List |
13 Oct 2023, 04:15
| Type | Values Removed | Values Added |
|---|---|---|
| References |
|
08 Sep 2023, 17:39
| Type | Values Removed | Values Added |
|---|---|---|
| References | (MISC) https://github.com/Cacti/cacti/security/advisories/GHSA-6hrc-2cfc-8hm7 - Exploit, Vendor Advisory | |
| CPE | cpe:2.3:a:cacti:cacti:*:*:*:*:*:*:*:* | |
| First Time |
Cacti cacti
Cacti |
|
| CVSS |
v2 : v3 : |
v2 : unknown
v3 : 5.4 |
05 Sep 2023, 21:15
| Type | Values Removed | Values Added |
|---|---|---|
| New CVE |
Information
Published : 2023-09-05 21:15
Updated : 2025-04-10 20:54
NVD link : CVE-2023-39514
Mitre link : CVE-2023-39514
CVE.ORG link : CVE-2023-39514
JSON object : View
Products Affected
cacti
- cacti
fedoraproject
- fedora
CWE
CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')