CVE-2024-30268

CVSS v2.0

6.4

Medium

Vector

AV:N/AC:L/Au:N/C:P/I:P/A:N

Name of the Vulnerable Software and Affected Versions: Cacti versions 1.3.x

Description: A reflected cross-site scripting issue in Cacti allows attackers to obtain cookies of administrator and other users and fake their login using obtained cookies. This is related to the lack of measures to neutralize special elements in the display settings function, which can be exploited by a remote attacker to perform cross-site scripting using cookie forgery.

Recommendations: For versions 1.3.x, update to a version that includes the fix for this issue, specifically the commit a38b9046e9772612fda847b46308f9391a49891e. As a temporary workaround, consider restricting access to the display settings function to minimize the risk of exploitation.

Exploit

Fix

Improper Neutralization

Special Elements Injection

XSS

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-707CWE-74CWE-79

Related Identifiers

BDU:2024-03924

CVE-2024-30268

GHSA-9M3V-WHMR-PC2Q

Affected Products

Cacti

CVE-2024-30268

Weakness Enumeration

Related Identifiers

Affected Products

References · 16