CVE-2023-39360

Cacti is an open source operational monitoring and fault management framework.Affected versions are subject to a Stored Cross-Site-Scripting (XSS) Vulnerability allows an authenticated user to poison data. The vulnerability is found in `graphs_new.php`. Several validations are performed, but the `returnto` parameter is directly passed to `form_save_button`. In order to bypass this validation, returnto must contain `host.php`. This vulnerability has been addressed in version 1.2.25. Users are advised to upgrade. Users unable to update should manually filter HTML output.

CVSS v3 6.1 MEDIUM

6.1^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 2.7

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

References

Link	Resource
https://github.com/Cacti/cacti/security/advisories/GHSA-gx8c-xvjh-9qh4	Exploit Vendor Advisory
https://lists.debian.org/debian-lts-announce/2024/03/msg00018.html
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CFH3J2WVBKY4ZJNMARVOWJQK6PSLPHFH/	Mailing List
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WOQFYGLZBAWT4AWNMO7DU73QXWPXTCKH/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WZGB2UXJEUYWWA6IWVFQ3ZTP22FIHMGN/	Mailing List

Configurations

Configuration 1 (hide)

cpe:2.3:a:cacti:cacti:1.2.24:*:*:*:*:*:*:*

Configuration 2 (hide)

OR	cpe:2.3:o:fedoraproject:fedora:37:::::::*
	cpe:2.3:o:fedoraproject:fedora:38:::::::*

History

18 Mar 2024, 20:15

Type	Values Removed	Values Added
References		() https://lists.debian.org/debian-lts-announce/2024/03/msg00018.html -

03 Nov 2023, 21:15

Type	Values Removed	Values Added
References		(MISC) https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WOQFYGLZBAWT4AWNMO7DU73QXWPXTCKH/ -

20 Oct 2023, 19:23

Type	Values Removed	Values Added
First Time		Fedoraproject Fedoraproject fedora
CPE		cpe:2.3:o:fedoraproject:fedora:37:::::::* cpe:2.3:o:fedoraproject:fedora:38:::::::*
References	~~(MISC) https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CFH3J2WVBKY4ZJNMARVOWJQK6PSLPHFH/ -~~	(MISC) https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CFH3J2WVBKY4ZJNMARVOWJQK6PSLPHFH/ - Mailing List
References	~~(MISC) https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WZGB2UXJEUYWWA6IWVFQ3ZTP22FIHMGN/ -~~	(MISC) https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WZGB2UXJEUYWWA6IWVFQ3ZTP22FIHMGN/ - Mailing List

13 Oct 2023, 04:15

Type	Values Removed	Values Added
References		(MISC) https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CFH3J2WVBKY4ZJNMARVOWJQK6PSLPHFH/ - (MISC) https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WZGB2UXJEUYWWA6IWVFQ3ZTP22FIHMGN/ -

08 Sep 2023, 17:43

Type	Values Removed	Values Added
References	~~(MISC) https://github.com/Cacti/cacti/security/advisories/GHSA-gx8c-xvjh-9qh4 -~~	(MISC) https://github.com/Cacti/cacti/security/advisories/GHSA-gx8c-xvjh-9qh4 - Exploit, Vendor Advisory
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 6.1
First Time		Cacti Cacti cacti
CPE		cpe:2.3:a:cacti:cacti:1.2.24:::::::*

05 Sep 2023, 21:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2023-09-05 21:15

Updated : 2024-03-18 20:15

NVD link : CVE-2023-39360

Mitre link : CVE-2023-39360

CVE.ORG link : CVE-2023-39360

JSON object : View

Products Affected

cacti

cacti

fedoraproject

fedora

CWE

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

6.1 /10