CVE-2023-49088

Cacti has incomplete fix for CVE-2023-39515

Severity Score

4.8

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

Cacti is an open source operational monitoring and fault management framework. The fix applied for CVE-2023-39515 in version 1.2.25 is incomplete as it enables an adversary to have a victim browser execute malicious code when a victim user hovers their mouse over the malicious data source path in `data_debug.php`. To perform the cross-site scripting attack, the adversary needs to be an authorized cacti user with the following permissions: `General Administration>Sites/Devices/Data`. The victim of this attack could be any account with permissions to view `http://<HOST>/cacti/data_debug.php`. As of time of publication, no complete fix has been included in Cacti.

Cacti es un framework de gestión de fallos y monitoreo operativo de código abierto. La solución aplicada para CVE-2023-39515 en la versión 1.2.25 está incompleta, ya que permite que un adversario haga que el navegador de la víctima ejecute código malicioso cuando un usuario víctima pasa el mouse sobre la ruta de la fuente de datos maliciosa en `data_debug.php`. Para realizar el ataque de cross-site scripting, el adversario debe ser un usuario de Cacti autorizado con los siguientes permisos: `General Administration>Sites/Devices/Data`. La víctima de este ataque podría ser cualquier cuenta con permisos para ver `http:///cacti/data_debug.php`. Al momento de la publicación, no se ha incluido ninguna solución completa en Cacti.

*Credits: N/A

Attack Vector

Network

Attack Complexity

Low

Privileges Required

High

User Interaction

Required

Scope

Changed

Confidentiality

Low

Integrity

Low

Availability

None

Attack Vector

Network

Attack Complexity

Low

Privileges Required

High

User Interaction

Required

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2023-11-21 CVE Reserved
2023-12-22 CVE Published
2024-08-02 CVE Updated
2024-08-02 First Exploit
2024-11-21 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date

CWE

CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CAPEC

References (5)

URL	Tag	Source
https://lists.debian.org/debian-lts-announce/2024/03/msg00018.html
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RBEOAFKRARQHTDIYSL723XAFJ2Q6624X

URL	Date	SRC
https://github.com/Cacti/cacti/blob/5f6f65c215d663a775950b2d9db35edbaf07d680/data_debug.php	2024-08-02
https://github.com/Cacti/cacti/security/advisories/GHSA-hrg9-qqqx-wc4h	2024-08-02
https://github.com/Cacti/cacti/security/advisories/GHSA-q7g7-gcf6-wh4x	2024-08-02

URL	Date	SRC

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Cacti Search vendor "Cacti"		Cacti Search vendor "Cacti" for product "Cacti"				< 1.2.25 Search vendor "Cacti" for product "Cacti" and version " < 1.2.25"		-		Affected