CVE-2023-39513: Stored Cross-site Scripting on host.php verbose data-query debug view in Cacti
First published: Tue Sep 05 2023(Updated: )
Cacti is an open source operational monitoring and fault management framework. Affected versions are subject to a Stored Cross-Site-Scripting (XSS) Vulnerability which allows an authenticated user to poison data stored in the _cacti_'s database. These data will be viewed by administrative _cacti_ accounts and execute JavaScript code in the victim's browser at view-time. The script under `host.php` is used to monitor and manage hosts in the _cacti_ app, hence displays useful information such as data queries and verbose logs. _CENSUS_ found that an adversary that is able to configure a data-query template with malicious code appended in the template path, in order to deploy a stored XSS attack against any user with the _General Administration>Sites/Devices/Data_ privileges. A user that possesses the _Template Editor>Data Queries_ permissions can configure the data query template path in _cacti_. Please note that such a user may be a low privileged user. This configuration occurs through `http://<HOST>/cacti/data_queries.php` by editing an existing or adding a new data query template. If a template is linked to a device then the formatted template path will be rendered in the device's management page, when a _verbose data query_ is requested. This vulnerability has been addressed in version 1.2.25. Users are advised to upgrade. Users unable to update should manually filter HTML output.
Credit: security-advisories@github.com security-advisories@github.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Cacti Cacti | <1.2.25 | |
| Fedoraproject Fedora | =37 | |
| Fedoraproject Fedora | =38 | |
| debian/cacti | <=1.2.2+ds1-2+deb10u4<=1.2.2+ds1-2+deb10u5<=1.2.16+ds1-2+deb11u1<=1.2.24+ds1-1 | 1.2.16+ds1-2+deb11u2 1.2.24+ds1-1+deb12u1 1.2.25+ds1-2 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://github.com/Cacti/cacti/security/advisories/GHSA-9fj7-8f2j-2rw2
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CFH3J2WVBKY4ZJNMARVOWJQK6PSLPHFH/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WZGB2UXJEUYWWA6IWVFQ3ZTP22FIHMGN/
- https://github.com/Cacti/cacti/commit/8d8aeec0eca3be7b10a12e6c2a78e6560bcef43e
- https://security-tracker.debian.org/tracker/CVE-2023-39513
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WOQFYGLZBAWT4AWNMO7DU73QXWPXTCKH/
- https://www.debian.org/security/2023/dsa-5550
- https://lists.debian.org/debian-lts-announce/2024/03/msg00018.html
Frequently Asked Questions
What is the vulnerability ID?
The vulnerability ID is CVE-2023-39513.
What is the severity of CVE-2023-39513?
The severity of CVE-2023-39513 is medium with a CVSS score of 5.4.
What is the affected software?
The affected software is Cacti version up to exclusive 1.2.25.
What is the impact of the vulnerability?
The vulnerability allows an authenticated user to inject malicious scripts into the Cacti database, potentially leading to data manipulation or unauthorized access.
Is there a fix available for CVE-2023-39513?
Yes, it is recommended to upgrade to a version of Cacti that is not affected by the vulnerability.
- collector/nvd-index
- collector/security-tracker-debian
- agent/author
- agent/type
- agent/event
- agent/last-modified-date
- agent/softwarecombine
- agent/first-publish-date
- collector/mitre-cve
- source/MITRE
- agent/severity
- agent/references
- agent/title
- agent/weakness
- agent/tags
- agent/description
- collector/nvd-api
- source/NVD
- agent/software-canonical-lookup
- vendor/cacti
- canonical/cacti cacti
- vendor/fedoraproject
- canonical/fedoraproject fedora
- version/fedoraproject fedora/37
- version/fedoraproject fedora/38
- package-manager/debian