Cacti is a robust performance and fault management framework and a frontend to RRDTool - a Time Series Database (TSDB). Bypassing an earlier fix (CVE-2023-39360) that leads to a DOM XSS attack.
Exploitation of the vulnerability is possible for an authorized user. The vulnerable component is
the `graphs_new.php`. Impact of the vulnerability - execution of arbitrary javascript code in
the attacked user's browser. This issue has been patched in version 1.2.26.
References
Link | Resource |
---|---|
https://github.com/Cacti/cacti/security/advisories/GHSA-wc73-r2vw-59pr | Exploit Vendor Advisory |
https://lists.debian.org/debian-lts-announce/2024/03/msg00018.html |
Configurations
History
18 Mar 2024, 20:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
29 Dec 2023, 19:08
Type | Values Removed | Values Added |
---|---|---|
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 5.4 |
CPE | cpe:2.3:a:cacti:cacti:1.2.25:*:*:*:*:*:*:* | |
References | () https://github.com/Cacti/cacti/security/advisories/GHSA-wc73-r2vw-59pr - Exploit, Vendor Advisory | |
First Time |
Cacti
Cacti cacti |
22 Dec 2023, 12:18
Type | Values Removed | Values Added |
---|---|---|
Summary |
|
22 Dec 2023, 00:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2023-12-22 00:15
Updated : 2024-03-18 20:15
NVD link : CVE-2023-49086
Mitre link : CVE-2023-49086
CVE.ORG link : CVE-2023-49086
JSON object : View
Products Affected
cacti
- cacti
CWE
CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')