Umbrassador

**Name of the Vulnerable Software and Affected Versions** Cacti versions prior to 1.2.25 **Description** The issue exists due to inadequate protection of the web page structure, allowing a remote attacker to execute arbitrary code. This can be achieved through a cross-site scripting attack when a victim user hovers over a malicious data source path in the `data debug.php` file. The attacker must have specific permissions, including `General Administration>Sites/Devices/Data`, to perform the attack. The victim can be any account with permissions to view the `http://<HOST>/cacti/data debug.php` endpoint. **Recommendations** For versions prior to 1.2.25, consider restricting access to the `data debug.php` file and limiting permissions to `General Administration>Sites/Devices/Data` to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.