CVE-2023-39514

Name of the Vulnerable Software and Affected Versions Cacti versions prior to 1.2.25

Description The issue is a Stored Cross-Site-Scripting (XSS) vulnerability that allows an authenticated user to poison data stored in the Cacti database. This data will be viewed by administrative Cacti accounts and execute JavaScript code in the victim's browser at view-time. The script under graphs.php displays graph details such as data-source paths, data template information, and graph related fields. An adversary can deploy a stored XSS attack against any user with General Administration>Graphs privileges by configuring either a data-source template with malicious code appended in the data-source name or a device with a malicious payload injected in the device name. This configuration occurs through the http://<HOST>/cacti/data templates.php endpoint by editing an existing or adding a new data template. A user with Template Editor>Data Templates permissions can configure the data-source name, and a user with General Administration>Sites/Devices/Data permissions can configure the device name.

Recommendations To resolve the issue, upgrade to version 1.2.25 or later. For versions prior to 1.2.25, add manual HTML escaping as a temporary workaround. As a mitigation measure, consider restricting access to the graphs.php script and the http://<HOST>/cacti/data templates.php endpoint to minimize the risk of exploitation. Additionally, limit the permissions of users with Template Editor>Data Templates and General Administration>Sites/Devices/Data permissions to reduce the attack surface.