CVE-2024-43365

Name of the Vulnerable Software and Affected Versions Cacti versions prior to 1.2.28

Description The issue arises from the improper sanitization of the consolenewsection parameter when saving external links in links.php, which is then stored in the database and reflected back to the user in index.php, leading to stored XSS. Users with the privilege to create external links can manipulate the consolenewsection parameter in the HTTP post request to perform stored XSS attacks. This occurs when an application allows untrusted user input to be displayed on a web page without proper validation or escaping.

Recommendations For versions prior to 1.2.28, upgrade to release version 1.2.28 to address the issue. As a temporary workaround, consider restricting access to the consolenewsection parameter in links.php to minimize the risk of exploitation. Additionally, restrict the ability for users to create external links until the issue is resolved.