CVE-2023-39366 in Cacti
Summary
by MITRE • 09/06/2023
Cacti is an open source operational monitoring and fault management framework. Affected versions are subject to a Stored Cross-Site-Scripting (XSS) Vulnerability allows an authenticated user to poison data stored in the _cacti_'s database. These data will be viewed by administrative _cacti_ accounts and execute JavaScript code in the victim's browser at view-time. The `data_sources.php` script displays the data source management information (e.g. data source path, polling configuration etc.) for different data visualizations of the _cacti_ app. CENSUS found that an adversary that is able to configure a malicious Device name, can deploy a stored XSS attack against any user of the same (or broader) privileges. A user that possesses the _General Administration>Sites/Devices/Data_ permissions can configure the device names in _cacti_. This configuration occurs through `http:///cacti/host.php`, while the rendered malicious payload is exhibited at `http:///cacti/data_sources.php`. This vulnerability has been addressed in version 1.2.25. Users are advised to upgrade. Users unable to update should manually filter HTML output.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 10/01/2023
The vulnerability CVE-2023-39366 represents a critical stored cross-site scripting flaw in the Cacti monitoring framework that enables authenticated attackers to inject malicious JavaScript code into the application's database. This vulnerability specifically affects versions of Cacti prior to 1.2.25 and resides within the data source management functionality of the system. The flaw occurs when administrators or users with appropriate permissions configure device names through the host.php interface, which then gets stored in the database and subsequently rendered in the data_sources.php script without proper sanitization. The security implications are significant because the stored payload executes in the context of administrative users who view the affected data, creating a potential vector for privilege escalation and persistent malicious activity.
The technical mechanism of this vulnerability operates through the improper handling of user-supplied input within the device name configuration process. When an authenticated user with General Administration>Sites/Devices/Data permissions creates or modifies a device name containing malicious script tags, this input is stored directly in the database without adequate HTML sanitization or encoding. The vulnerability follows a classic stored XSS pattern where the malicious payload is first submitted and stored by the application, then later retrieved and displayed to other users without proper output encoding. The attack vector specifically targets the host.php configuration page where device names are set, and the execution occurs in data_sources.php where the stored information is rendered for viewing. This creates a persistent threat where any user with sufficient privileges to view the data sources will inadvertently execute the malicious code in their browser context.
The operational impact of CVE-2023-39366 extends beyond simple script execution, as it provides attackers with potential access to sensitive monitoring data and system information. Administrative users who view the compromised data sources become victims of the stored XSS attack, allowing attackers to steal session cookies, perform actions on behalf of administrators, or redirect users to malicious sites. The vulnerability is particularly concerning in operational monitoring environments where Cacti is used to track critical infrastructure, as attackers could potentially manipulate monitoring data or gain unauthorized access to system configurations. The attack requires only authentication privileges that are typically granted to system administrators or power users, making it a realistic threat in environments where administrative access is properly distributed. This aligns with CWE-79 which identifies cross-site scripting vulnerabilities as a fundamental web application security weakness, and represents a significant concern under ATT&CK technique T1566 for social engineering through malicious content.
Organizations affected by this vulnerability should prioritize immediate remediation through upgrading to Cacti version 1.2.25 or later, which includes proper input sanitization and output encoding mechanisms. For environments where immediate upgrade is not feasible, administrators should implement manual HTML filtering of output in the data_sources.php script to prevent script execution. Additional mitigation strategies include implementing proper input validation for device name fields, using Content Security Policy headers to limit script execution, and monitoring for suspicious device name entries in the database. Security teams should also conduct thorough audits of existing device configurations to identify any potentially compromised entries and consider implementing network-based protections such as web application firewalls to detect and block malicious payloads. The vulnerability demonstrates the importance of proper input validation and output encoding in web applications, particularly those handling operational data where administrative access is required for configuration modifications.