CVE-2024-43364 in Cacti
Summary
by MITRE • 10/08/2024
Cacti is an open source performance and fault management framework. The `title` parameter is not properly sanitized when saving external links in links.php . Morever, the said title parameter is stored in the database and reflected back to user in index.php, finally leading to stored XSS. Users with the privilege to create external links can manipulate the `title` parameter in the http post request while creating external links to perform stored XSS attacks. The vulnerability known as XSS (Cross-Site Scripting) occurs when an application allows untrusted user input to be displayed on a web page without proper validation or escaping. This issue has been addressed in release version 1.2.28. All users are advised to upgrade. There are no known workarounds for this vulnerability.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 03/08/2025
The vulnerability CVE-2024-43364 affects Cacti, an open source performance and fault management framework widely used for network monitoring and system administration. This security flaw resides in the handling of external link titles within the links.php component, representing a classic stored cross-site scripting vulnerability that can be exploited by authenticated users with sufficient privileges. The issue stems from inadequate input sanitization when processing the title parameter during external link creation, allowing malicious payloads to be stored in the database and subsequently executed in the user's browser when the data is reflected back in index.php. The vulnerability specifically targets the title parameter within HTTP POST requests, where attackers can inject malicious scripts that persist in the application's database and execute whenever affected pages are loaded.
The technical implementation of this vulnerability follows the typical stored XSS attack pattern where user input flows through multiple application components without proper sanitization or output encoding. When an attacker creates an external link with a malicious title parameter, the application fails to validate or escape the input before storing it in the database. This stored data is then retrieved and displayed in index.php without appropriate HTML escaping or context-aware output filtering, creating an environment where malicious scripts can execute in the victim's browser context. The vulnerability is classified as CWE-79 - Improper Neutralization of Input During Web Page Generation, which is a fundamental web application security weakness that allows attackers to inject malicious content that executes in the browser of other users. The attack chain begins with user input manipulation through the external link creation interface, continues through database storage, and concludes with script execution in the victim's browser environment.
The operational impact of this vulnerability extends beyond simple script execution, as it allows attackers with external link creation privileges to potentially compromise user sessions, steal sensitive information, or redirect users to malicious sites. Since Cacti is commonly used in enterprise environments for critical network monitoring, this vulnerability could enable attackers to gain unauthorized access to monitoring data, potentially affecting system availability and integrity. The stored nature of the XSS payload means that the attack persists even after the initial exploitation, allowing attackers to maintain access to the application and potentially escalate privileges within the monitored environment. The vulnerability affects all users who can create external links, which in many deployments includes regular users with basic monitoring access, making it particularly dangerous as it can be exploited by individuals with relatively low privileges. The attack vector requires only that an attacker have the ability to create external links, which is often a standard feature in monitoring applications, making this vulnerability particularly concerning for organizations that rely on Cacti for their network infrastructure monitoring.
The mitigation for CVE-2024-43364 is straightforward and follows established security practices for preventing stored XSS vulnerabilities. The primary solution is upgrading to Cacti version 1.2.28 or later, which includes proper input sanitization and output encoding mechanisms. Organizations should immediately implement this upgrade as a priority security measure, as no effective workarounds exist for this vulnerability. The fix should be applied across all Cacti installations, particularly those with multiple user roles and administrative privileges, as these environments present the highest risk for exploitation. Additionally, organizations should conduct a thorough review of user permissions to limit external link creation capabilities to only trusted administrators. Network monitoring should include detection of suspicious link creation activities, and security teams should implement proper input validation at multiple layers of the application. The vulnerability also highlights the importance of following the principle of least privilege in web application design, where user inputs should always be validated and sanitized regardless of user role or access level. This issue demonstrates the critical need for consistent security practices throughout the application lifecycle, particularly in data handling and user input processing, as recommended by the OWASP Top Ten and NIST cybersecurity guidelines for secure software development practices.