CVE-2023-50569 in Cacti
Summary
by MITRE • 12/22/2023
Reflected Cross Site Scripting (XSS) vulnerability in Cacti v1.2.25, allows remote attackers to escalate privileges when uploading an xml template file via templates_import.php.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 08/15/2024
This reflected cross site scripting vulnerability in Cacti version 1.2.25 represents a critical security flaw that enables remote attackers to execute malicious scripts within the context of authenticated users. The vulnerability specifically manifests through the templates_import.php endpoint where xml template files can be uploaded without proper input validation or sanitization mechanisms. When an attacker uploads a specially crafted xml file containing malicious javascript code, this code gets reflected back to users who view the imported templates, creating a persistent XSS vector that can be exploited across different user sessions.
The technical exploitation of this vulnerability occurs because the application fails to properly sanitize user-supplied input during the xml template import process. This lack of proper validation allows attackers to inject malicious payloads that execute in the browser context of legitimate users who interact with the compromised templates. The vulnerability is classified as a reflected XSS due to how the malicious code gets embedded within the xml structure and then rendered when the template data is displayed to users, making it particularly dangerous as it can persist across multiple user interactions.
The operational impact of this vulnerability extends beyond simple script execution, as it allows for privilege escalation through the exploitation of the xml import functionality. Attackers can leverage this weakness to gain elevated access rights within the Cacti monitoring system, potentially enabling them to manipulate network monitoring data, access sensitive configuration information, or even take control of the entire monitoring infrastructure. This presents a significant risk to organizations that rely on Cacti for critical network monitoring and management tasks.
The vulnerability aligns with CWE-79 which specifically addresses cross site scripting flaws in web applications and relates to ATT&CK technique T1059.007 for script execution through web interfaces. Organizations using Cacti v1.2.25 should immediately implement mitigations including input validation for all xml file uploads, implementing proper content sanitization routines, and restricting upload permissions to trusted administrators only. Additionally, network segmentation and monitoring of template import activities can help detect unauthorized exploitation attempts. The most effective long-term solution involves upgrading to a patched version of Cacti that addresses the input validation deficiencies in templates_import.php and implements proper xml parsing security measures to prevent malicious code injection during template processing operations.