CVE-2023-49088

Name of the Vulnerable Software and Affected Versions Cacti versions prior to 1.2.25

Description The issue exists due to inadequate protection of the web page structure, allowing a remote attacker to execute arbitrary code. This can be achieved through a cross-site scripting attack when a victim user hovers over a malicious data source path in the data debug.php file. The attacker must have specific permissions, including General Administration>Sites/Devices/Data, to perform the attack. The victim can be any account with permissions to view the http://<HOST>/cacti/data debug.php endpoint.

Recommendations For versions prior to 1.2.25, consider restricting access to the data debug.php file and limiting permissions to General Administration>Sites/Devices/Data to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.