CVE-2023-39510: Stored Cross-site Scripting in reports_admin.php through Device-Name in 'select' input in Cacti
First published: Tue Sep 05 2023(Updated: )
Cacti is an open source operational monitoring and fault management framework. Affected versions are subject to a Stored Cross-Site-Scripting (XSS) Vulnerability allows an authenticated user to poison data stored in the _cacti_'s database. These data will be viewed by administrative _cacti_ accounts and execute JavaScript code in the victim's browser at view-time. The`reports_admin.php` script displays reporting information about graphs, devices, data sources etc. CENSUS found that an adversary that is able to configure a malicious Device name, can deploy a stored XSS attack against any user of the same (or broader) privileges. A user that possesses the _General Administration>Sites/Devices/Data_ permissions can configure the device names in _cacti_. This configuration occurs through `http://<HOST>/cacti/host.php`, while the rendered malicious payload is exhibited at `http://<HOST>/cacti/reports_admin.php` when the a graph with the maliciously altered device name is linked to the report. This vulnerability has been addressed in version 1.2.25. Users are advised to upgrade. Users unable to update should manually filter HTML output.
Credit: security-advisories@github.com security-advisories@github.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Cacti Cacti | <1.2.25 | |
| Fedoraproject Fedora | =37 | |
| Fedoraproject Fedora | =38 | |
| debian/cacti | <=1.2.24+ds1-1 | 1.2.2+ds1-2+deb10u4 1.2.2+ds1-2+deb10u5 1.2.16+ds1-2+deb11u1 1.2.16+ds1-2+deb11u2 1.2.24+ds1-1+deb12u1 1.2.25+ds1-2 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://github.com/Cacti/cacti/security/advisories/GHSA-24w4-4hp2-3j8h
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CFH3J2WVBKY4ZJNMARVOWJQK6PSLPHFH/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WZGB2UXJEUYWWA6IWVFQ3ZTP22FIHMGN/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WOQFYGLZBAWT4AWNMO7DU73QXWPXTCKH/
- https://www.debian.org/security/2023/dsa-5550
- https://github.com/Cacti/cacti/commit/c67daa614d91c8592b8792298da8e3aa017c4009
- https://github.com/Cacti/cacti/commit/26e2dbacf298265ce9e517f6f1f008ec46167b5d
- https://security-tracker.debian.org/tracker/CVE-2023-39510
Frequently Asked Questions
What is CVE-2023-39510?
CVE-2023-39510 is a Stored Cross-Site-Scripting (XSS) vulnerability in the Cacti open source operational monitoring and fault management framework.
How does CVE-2023-39510 affect Cacti?
CVE-2023-39510 allows an authenticated user to inject malicious scripts into the Cacti database, which can be viewed by administrative Cacti accounts.
What is the severity of CVE-2023-39510?
CVE-2023-39510 has a severity rating of 4.8 out of 10 (medium).
Which versions of Cacti are affected by CVE-2023-39510?
Versions up to and excluding 1.2.25 of Cacti are affected by CVE-2023-39510.
How can I fix CVE-2023-39510 in Cacti?
To fix CVE-2023-39510, it is recommended to upgrade Cacti to version 1.2.25 or a later version.
- collector/nvd-index
- collector/nvd-api
- collector/security-tracker-debian
- agent/title
- agent/references
- agent/severity
- agent/weakness
- agent/author
- agent/type
- agent/event
- agent/description
- agent/last-modified-date
- agent/first-publish-date
- agent/softwarecombine
- agent/tags
- collector/mitre-cve
- source/MITRE
- vendor/cacti
- canonical/cacti cacti
- vendor/fedoraproject
- canonical/fedoraproject fedora
- version/fedoraproject fedora/37
- version/fedoraproject fedora/38
- package-manager/debian