CVE-2023-39516

Name of the Vulnerable Software and Affected Versions Cacti versions prior to 1.2.25

Description The issue is related to a Stored Cross-Site-Scripting (XSS) vulnerability in Cacti, an open source operational monitoring and fault management framework. This vulnerability allows an authenticated user to poison data stored in the Cacti database, which can be viewed by administrative accounts and execute JavaScript code in the victim's browser. The script under data sources.php displays data source management information, and an adversary can deploy a stored XSS attack by configuring a malicious data-source path. This configuration occurs through the http://<HOST>/cacti/data sources.php page.

Recommendations For versions prior to 1.2.25, upgrade to version 1.2.25 or later to resolve the issue. For users unable to upgrade, manually escape HTML output as a temporary workaround. As a mitigation measure, consider restricting access to the data sources.php page and limiting the ability to configure data source paths to only trusted users.