CVE-2023-39511

Stored Cross-Site-Scripting on reports_admin.php device name in Cacti

Severity Score

4.8

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

Cacti is an open source operational monitoring and fault management framework. Affected versions are subject to a Stored Cross-Site-Scripting (XSS) Vulnerability which allows an authenticated user to poison data stored in the _cacti_'s database. These data will be viewed by administrative _cacti_ accounts and execute JavaScript code in the victim's browser at view-time. The script under `reports_admin.php` displays reporting information about graphs, devices, data sources etc. _CENSUS_ found that an adversary that is able to configure a malicious device name, related to a graph attached to a report, can deploy a stored XSS attack against any super user who has privileges of viewing the `reports_admin.php` page, such as administrative accounts. A user that possesses the _General Administration>Sites/Devices/Data_ permissions can configure the device names in _cacti_. This configuration occurs through `http://<HOST>/cacti/host.php`, while the rendered malicious payload is exhibited at `http://<HOST>/cacti/reports_admin.php` when the a graph with the maliciously altered device name is linked to the report. This issue has been addressed in version 1.2.25. Users are advised to upgrade. Users unable to upgrade should manually filter HTML output.

Cacti es un framework de gestión de fallas y monitoreo operativo de código abierto. Las versiones afectadas están sujetas a una vulnerabilidad de Cross-Site-Scripting (XSS) almacenada que permite a un usuario autenticado envenenar los datos almacenados en la base de datos de _cacti_. Estos datos serán vistos por cuentas administrativas de _cacti_ y ejecutarán código JavaScript en el navegador de la víctima en el momento de la visualización. El script bajo `reports_admin.php` muestra información de informes sobre gráficos, dispositivos, fuentes de datos, etc. _CENSUS_ descubrió que un adversario que puede configurar un nombre de dispositivo malicioso, relacionado con un gráfico adjunto a un informe, puede implementar un ataque XSS almacenado contra cualquier superusuario que tenga privilegios de ver la página `reports_admin.php`, como cuentas administrativas. Un usuario que posee los permisos _General Administration>Sites/Devices/Data_ permissions puede configurar los nombres de los dispositivos en _cacti_. Esta configuración ocurre a través de `http:///cacti/host.php`, mientras que el payload manipulado representado se exhibe en `http:///cacti/reports_admin.php` cuando se muestra un gráfico con el contenido malicioso. El nombre del dispositivo modificado está vinculado al informe. Este problema se solucionó en la versión 1.2.25. Se recomienda a los usuarios que actualicen. Los usuarios que no puedan actualizar deben filtrar manualmente la salida HTML.

*Credits: N/A

Attack Vector

Network

Attack Complexity

Low

Privileges Required

High

User Interaction

Required

Scope

Changed

Confidentiality

Low

Integrity

Low

Availability

None

Attack Vector

Network

Attack Complexity

Low

Privileges Required

High

User Interaction

Required

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2023-08-03 CVE Reserved
2023-09-06 CVE Published
2024-08-02 CVE Updated
2024-08-02 First Exploit
2024-09-12 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date

CWE

CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CAPEC

References (4)

URL	Tag	Source
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CFH3J2WVBKY4ZJNMARVOWJQK6PSLPHFH	Mailing List
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WOQFYGLZBAWT4AWNMO7DU73QXWPXTCKH
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WZGB2UXJEUYWWA6IWVFQ3ZTP22FIHMGN	Mailing List

URL	Date	SRC
https://github.com/Cacti/cacti/security/advisories/GHSA-5hpr-4hhc-8q42	2024-08-02

URL	Date	SRC

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Cacti Search vendor "Cacti"		Cacti Search vendor "Cacti" for product "Cacti"				< 1.2.25 Search vendor "Cacti" for product "Cacti" and version " < 1.2.25"		-		Affected
Fedoraproject Search vendor "Fedoraproject"		Fedora Search vendor "Fedoraproject" for product "Fedora"				37 Search vendor "Fedoraproject" for product "Fedora" and version "37"		-		Affected
Fedoraproject Search vendor "Fedoraproject"		Fedora Search vendor "Fedoraproject" for product "Fedora"				38 Search vendor "Fedoraproject" for product "Fedora" and version "38"		-		Affected