CVE-2023-39512: Stored Cross-site Scripting on data_sources.php device name view in Cacti
First published: Tue Sep 05 2023(Updated: )
Cacti is an open source operational monitoring and fault management framework. Affected versions are subject to a Stored Cross-Site-Scripting (XSS) Vulnerability which allows an authenticated user to poison data stored in the _cacti_'s database. These data will be viewed by administrative _cacti_ accounts and execute JavaScript code in the victim's browser at view-time. The script under `data_sources.php` displays the data source management information (e.g. data source path, polling configuration, device name related to the datasource etc.) for different data visualizations of the _cacti_ app. _CENSUS_ found that an adversary that is able to configure a malicious device name, can deploy a stored XSS attack against any user of the same (or broader) privileges. A user that possesses the _General Administration>Sites/Devices/Data_ permissions can configure the device names in _cacti_. This configuration occurs through `http://<HOST>/cacti/host.php`, while the rendered malicious payload is exhibited at `http://<HOST>/cacti/data_sources.php`. This vulnerability has been addressed in version 1.2.25. Users are advised to upgrade. Users unable to update should manually filter HTML output.
Credit: security-advisories@github.com security-advisories@github.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Cacti Cacti | <1.2.25 | |
| Fedoraproject Fedora | =37 | |
| Fedoraproject Fedora | =38 | |
| debian/cacti | <=1.2.24+ds1-1 | 1.2.2+ds1-2+deb10u4 1.2.2+ds1-2+deb10u5 1.2.16+ds1-2+deb11u1 1.2.16+ds1-2+deb11u2 1.2.24+ds1-1+deb12u1 1.2.25+ds1-2 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://github.com/Cacti/cacti/security/advisories/GHSA-vqcc-5v63-g9q7
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CFH3J2WVBKY4ZJNMARVOWJQK6PSLPHFH/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WZGB2UXJEUYWWA6IWVFQ3ZTP22FIHMGN/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WOQFYGLZBAWT4AWNMO7DU73QXWPXTCKH/
- https://www.debian.org/security/2023/dsa-5550
- https://github.com/Cacti/cacti/commit/8d8aeec0eca3be7b10a12e6c2a78e6560bcef43e
- https://github.com/Cacti/cacti/commit/75c147b70493d188ad85313569f86e33e13988b2
- https://security-tracker.debian.org/tracker/CVE-2023-39512
Frequently Asked Questions
What is the vulnerability ID for this Cacti vulnerability?
The vulnerability ID for this Cacti vulnerability is CVE-2023-39512.
What is Cacti?
Cacti is an open source operational monitoring and fault management framework.
What is the severity of CVE-2023-39512?
The severity of CVE-2023-39512 is medium with a severity value of 4.8.
What is the impact of CVE-2023-39512?
CVE-2023-39512 allows an authenticated user to poison data stored in the Cacti's database.
How can an authenticated user exploit CVE-2023-39512?
An authenticated user can exploit CVE-2023-39512 by injecting malicious scripts into Cacti and poisoning the stored data.
- collector/nvd-index
- collector/mitre-cve
- collector/nvd-api
- collector/security-tracker-debian
- agent/severity
- agent/title
- agent/weakness
- agent/references
- agent/author
- agent/description
- agent/tags
- agent/type
- agent/event
- agent/softwarecombine
- agent/first-publish-date
- agent/last-modified-date
- vendor/cacti
- canonical/cacti cacti
- vendor/fedoraproject
- canonical/fedoraproject fedora
- version/fedoraproject fedora/37
- version/fedoraproject fedora/38
- package-manager/debian