CVE-2023-49086
Cacti is vulnerable to cross-Site scripting (XSS) DOM
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
1Exploited in Wild
-Decision
Descriptions
Cacti is a robust performance and fault management framework and a frontend to RRDTool - a Time Series Database (TSDB). A vulnerability in versions prior to 1.2.27 bypasses an earlier fix for CVE-2023-39360, therefore leading to a DOM XSS attack. Exploitation of the vulnerability is possible for an authorized user. The vulnerable component is the `graphs_new.php`. The impact of the vulnerability is execution of arbitrary JavaScript code in the attacked user's browser. This issue has been patched in version 1.2.27.
Cacti es un framework robusto de gestión de fallos y rendimiento y una interfaz para RRDTool - a Time Series Database (TSDB). Omitiendo una solución anterior (CVE-2023-39360) que provoca un ataque DOM XSS. La explotación de la vulnerabilidad es posible para un usuario autorizado. El componente vulnerable es `graphs_new.php`. Impacto de la vulnerabilidad: ejecución de código JavaScript arbitrario en el navegador del usuario atacado. Este problema se solucionó en la versión 1.2.26.
Multiple security vulnerabilities have been discovered in Cacti, a web interface for graphing of monitoring systems, which could result in cross-site scripting, SQL injection, or command injection.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2023-11-21 CVE Reserved
- 2023-12-21 CVE Published
- 2025-02-13 CVE Updated
- 2025-02-13 First Exploit
- 2025-05-11 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CAPEC
References (3)
URL | Date | SRC |
---|---|---|
https://github.com/Cacti/cacti/security/advisories/GHSA-wc73-r2vw-59pr | 2025-02-13 |
URL | Date | SRC |
---|
URL | Date | SRC |
---|