// For flags

CVE-2023-39516

Stored Cross-Site-Scripting on data_sources.php debug html-block in Cacti

Severity Score

4.8
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

1
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

Cacti is an open source operational monitoring and fault management framework. Affected versions are subject to a Stored Cross-Site-Scripting (XSS) Vulnerability which allows an authenticated user to poison data stored in the _cacti_'s database. These data will be viewed by administrative _cacti_ accounts and execute JavaScript code in the victim's browser at view-time. The script under `data_sources.php` displays the data source management information (e.g. data source path, polling configuration etc.) for different data visualizations of the _cacti_ app. CENSUS found that an adversary that is able to configure a malicious data-source path, can deploy a stored XSS attack against any user of the same (or broader) privileges. A user that possesses the 'General Administration>Sites/Devices/Data' permissions can configure the data source path in Cacti. This configuration occurs through `http://<HOST>/cacti/data_sources.php`. The same page can be used for previewing the data source path. This issue has been addressed in version 1.2.25. Users are advised to upgrade. Users unable to upgrade should manually escape HTML output.

Cacti es un framework de monitorización operativa y gestión de fallos de código abierto. Las versiones afectadas están sujetas a una vulnerabilidad de Cross-Site Scripting (XSS) almacenado que permite a un usuario autenticado envenenar a los datos almacenados en la base de datos de cacti. Estos datos serán visualizados por las cuentas administrativas de cacti y ejecutarán código JavaScript en el navegador de la víctima en tiempo de visualización. El script bajo `data_sources.php` muestra la información de gestión de la fuente de datos (por ejemplo, ruta de la fuente de datos, configuración de sondeo etc) para diferentes visualizaciones de datos de la aplicación _cacti_. CENSUS descubrió que un adversario que es capaz de configurar una ruta de fuente de datos maliciosa, puede implementar un ataque XSS almacenado contra cualquier usuario que tenga los mismos (o más amplios) privilegios. Un usuario que posea los permisos 'General Administration&gt;Sites/Devices/Data', puede configurar la ruta de la fuente de datos en Cacti. Esta configuración ocurre a través de `http:///cacti/data_sources.php`. La misma página se puede utilizar para obtener una vista previa de la ruta de la fuente de datos. Este problema se solucionó en la versión 1.2.25. Se recomienda a los usuarios que actualicen. Los usuarios que no puedan actualizar deben escapar manualmente de la salida HTML.

*Credits: N/A
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2023-08-03 CVE Reserved
  • 2023-09-05 CVE Published
  • 2024-08-02 CVE Updated
  • 2024-08-02 First Exploit
  • 2024-09-11 EPSS Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
CWE
  • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CAPEC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Cacti
Search vendor "Cacti"
Cacti
Search vendor "Cacti" for product "Cacti"
< 1.2.25
Search vendor "Cacti" for product "Cacti" and version " < 1.2.25"
-
Affected
Fedoraproject
Search vendor "Fedoraproject"
Fedora
Search vendor "Fedoraproject" for product "Fedora"
37
Search vendor "Fedoraproject" for product "Fedora" and version "37"
-
Affected
Fedoraproject
Search vendor "Fedoraproject"
Fedora
Search vendor "Fedoraproject" for product "Fedora"
38
Search vendor "Fedoraproject" for product "Fedora" and version "38"
-
Affected