CVE-2023-39360: Reflected Cross-site Scripting in graphs_new.php in Cacti
First published: Tue Sep 05 2023(Updated: )
Cacti is an open source operational monitoring and fault management framework.Affected versions are subject to a Stored Cross-Site-Scripting (XSS) Vulnerability allows an authenticated user to poison data. The vulnerability is found in `graphs_new.php`. Several validations are performed, but the `returnto` parameter is directly passed to `form_save_button`. In order to bypass this validation, returnto must contain `host.php`. This vulnerability has been addressed in version 1.2.25. Users are advised to upgrade. Users unable to update should manually filter HTML output.
Credit: security-advisories@github.com security-advisories@github.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Cacti Cacti | =1.2.24 | |
| Fedoraproject Fedora | =37 | |
| Fedoraproject Fedora | =38 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://github.com/Cacti/cacti/security/advisories/GHSA-gx8c-xvjh-9qh4
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CFH3J2WVBKY4ZJNMARVOWJQK6PSLPHFH/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WZGB2UXJEUYWWA6IWVFQ3ZTP22FIHMGN/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WOQFYGLZBAWT4AWNMO7DU73QXWPXTCKH/
- https://lists.debian.org/debian-lts-announce/2024/03/msg00018.html
Frequently Asked Questions
What is CVE-2023-39360 vulnerability?
CVE-2023-39360 is a Stored Cross-Site Scripting (XSS) vulnerability found in the Cacti open source operational monitoring and fault management framework.
How can an authenticated user exploit this vulnerability?
An authenticated user can exploit the CVE-2023-39360 vulnerability by poisoning data through the `graphs_new.php` file.
What is the severity of CVE-2023-39360?
CVE-2023-39360 has a severity level of medium (6.1).
Which versions of Cacti are affected by CVE-2023-39360?
The CVE-2023-39360 vulnerability affects Cacti version 1.2.24.
How can I fix the CVE-2023-39360 vulnerability?
To fix the CVE-2023-39360 vulnerability, update Cacti to a version that is not affected by the vulnerability.
- collector/nvd-index
- agent/author
- agent/type
- agent/event
- agent/first-publish-date
- agent/softwarecombine
- agent/last-modified-date
- collector/mitre-cve
- source/MITRE
- agent/severity
- agent/references
- agent/title
- agent/weakness
- agent/tags
- agent/description
- collector/nvd-api
- source/NVD
- agent/software-canonical-lookup
- vendor/cacti
- canonical/cacti cacti
- version/cacti cacti/1.2.24
- vendor/fedoraproject
- canonical/fedoraproject fedora
- version/fedoraproject fedora/37
- version/fedoraproject fedora/38