CVE-2024-43362

Name of the Vulnerable Software and Affected Versions: Cacti versions prior to 1.2.28

Description: The issue is related to the lack of protection of the web page structure in the Cacti network monitoring tool, specifically in the links.php script. This allows a remote attacker to perform cross-site scripting attacks. The fileurl parameter is not properly sanitized when saving external links, leading to stored XSS. Users with the privilege to create external links can manipulate the fileurl parameter to perform stored XSS attacks. This occurs when an application allows untrusted user input to be displayed on a web page without proper validation or escaping.

Recommendations: For versions prior to 1.2.28, upgrade to release version 1.2.28 to address the issue. As a temporary workaround, consider restricting access to the links.php script and limiting the ability to create external links to trusted users only. Avoid using the fileurl parameter in the HTTP post request while creating external links until the issue is resolved.