CVE-2023-39511

Name of the Vulnerable Software and Affected Versions Cacti versions prior to 1.2.25

Description The issue is related to a Stored Cross-Site-Scripting (XSS) vulnerability, which allows an authenticated user to poison data stored in the Cacti database. This data will be viewed by administrative Cacti accounts and execute JavaScript code in the victim's browser at view-time. The script under reports admin.php displays reporting information about graphs, devices, data sources, etc. An adversary can deploy a stored XSS attack against any super user who has privileges of viewing the reports admin.php page by configuring a malicious device name related to a graph attached to a report. This configuration occurs through http://<HOST>/cacti/host.php, while the rendered malicious payload is exhibited at http://<HOST>/cacti/reports admin.php when a graph with the maliciously altered device name is linked to the report.

Recommendations For versions prior to 1.2.25, upgrade to version 1.2.25 or later to address the issue. As a temporary workaround for users unable to upgrade, manually filter HTML output. Restrict access to the reports admin.php page to minimize the risk of exploitation. Avoid using the http://<HOST>/cacti/host.php endpoint to configure device names until the issue is resolved. Consider temporarily disabling the reports admin.php script until a patch is available.