CVE-2023-39515: Stored Cross-site Scripting on data_debug.php datasource path view in Cacti
First published: Tue Sep 05 2023(Updated: )
Cacti is an open source operational monitoring and fault management framework. Affected versions are subject to a Stored Cross-Site-Scripting (XSS) Vulnerability allows an authenticated user to poison data stored in the cacti's database. These data will be viewed by administrative cacti accounts and execute JavaScript code in the victim's browser at view-time. The script under `data_debug.php` displays data source related debugging information such as _data source paths, polling settings, meta-data on the data source_. _CENSUS_ found that an adversary that is able to configure a malicious data-source path, can deploy a stored XSS attack against any user that has privileges related to viewing the `data_debug.php` information. A user that possesses the _General Administration>Sites/Devices/Data_ permissions can configure the data source path in _cacti_. This configuration occurs through `http://<HOST>/cacti/data_sources.php`. This vulnerability has been addressed in version 1.2.25. Users are advised to upgrade. Users unable to update should manually filter HTML output.
Credit: security-advisories@github.com security-advisories@github.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Cacti Cacti | <1.2.25 | |
| Fedoraproject Fedora | =37 | |
| Fedoraproject Fedora | =38 | |
| debian/cacti | <=1.2.2+ds1-2+deb10u4<=1.2.2+ds1-2+deb10u5<=1.2.16+ds1-2+deb11u1<=1.2.24+ds1-1 | 1.2.16+ds1-2+deb11u2 1.2.24+ds1-1+deb12u1 1.2.25+ds1-2 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://github.com/Cacti/cacti/security/advisories/GHSA-hrg9-qqqx-wc4h
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CFH3J2WVBKY4ZJNMARVOWJQK6PSLPHFH/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WZGB2UXJEUYWWA6IWVFQ3ZTP22FIHMGN/
- https://github.com/Cacti/cacti/commit/8d8aeec0eca3be7b10a12e6c2a78e6560bcef43e
- https://security-tracker.debian.org/tracker/CVE-2023-39515
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WOQFYGLZBAWT4AWNMO7DU73QXWPXTCKH/
- https://www.debian.org/security/2023/dsa-5550
- https://lists.debian.org/debian-lts-announce/2024/03/msg00018.html
Frequently Asked Questions
What is CVE-2023-39515?
CVE-2023-39515 is a vulnerability in Cacti, an open source operational monitoring and fault management framework, which allows an authenticated user to inject malicious scripts into the cacti's database.
What is the severity of CVE-2023-39515?
The severity of CVE-2023-39515 is medium, with a CVSS score of 4.8.
How does CVE-2023-39515 affect Cacti?
CVE-2023-39515 affects Cacti versions up to and excluding 1.2.25, allowing an authenticated user to compromise the integrity and confidentiality of data stored in the cacti's database.
How can an attacker exploit CVE-2023-39515?
An attacker can exploit CVE-2023-39515 by injecting malicious scripts into the cacti's database, which will then be executed by administrative cacti accounts and potentially lead to cross-site scripting attacks.
How can I fix CVE-2023-39515?
To fix CVE-2023-39515, users should upgrade their Cacti installations to version 1.2.25 or apply the necessary patches provided by the Cacti project.
- collector/nvd-index
- collector/security-tracker-debian
- agent/author
- agent/type
- agent/event
- agent/first-publish-date
- agent/softwarecombine
- agent/last-modified-date
- collector/mitre-cve
- source/MITRE
- agent/severity
- agent/references
- agent/title
- agent/weakness
- agent/tags
- agent/description
- collector/nvd-api
- source/NVD
- agent/software-canonical-lookup
- vendor/cacti
- canonical/cacti cacti
- vendor/fedoraproject
- canonical/fedoraproject fedora
- version/fedoraproject fedora/37
- version/fedoraproject fedora/38
- package-manager/debian