CVE-2023-39512

Name of the Vulnerable Software and Affected Versions Cacti versions prior to 1.2.25

Description The issue exists due to inadequate protection of the web page structure in the Cacti network monitoring tool. This allows a remote attacker to conduct cross-site scripting attacks. An authenticated user can poison data stored in the Cacti database, which will be viewed by administrative accounts and execute JavaScript code in the victim's browser. The vulnerability can be exploited by configuring a malicious device name, which can be done by a user with General Administration>Sites/Devices/Data permissions through the http://<HOST>/cacti/host.php endpoint. The malicious payload is rendered at the http://<HOST>/cacti/data sources.php endpoint.

Recommendations For versions prior to 1.2.25, upgrade to version 1.2.25 or later to resolve the issue. As a temporary workaround for users unable to update, manually filter HTML output to minimize the risk of exploitation. Restrict access to the data sources.php script and the host.php endpoint to minimize the risk of exploitation. Avoid using the device name configuration feature in Cacti until the issue is resolved.