CVE-2024-43365 in Cacti
Summary
by MITRE • 10/08/2024
Cacti is an open source performance and fault management framework. The`consolenewsection` parameter is not properly sanitized when saving external links in links.php . Morever, the said consolenewsection parameter is stored in the database and reflected back to user in `index.php`, finally leading to stored XSS. Users with the privilege to create external links can manipulate the “consolenewsection” parameter in the http post request while creating external links to perform stored XSS attacks. The vulnerability known as XSS (Cross-Site Scripting) occurs when an application allows untrusted user input to be displayed on a web page without proper validation or escaping. This issue has been addressed in release version 1.2.28. All users are advised to upgrade. There are no known workarounds for this vulnerability.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 03/08/2025
The vulnerability CVE-2024-43365 affects Cacti, an open source performance and fault management framework widely used for network monitoring and system administration. This security flaw resides in the handling of external link creation functionality within the links.php script, specifically in the consolenewsection parameter processing. The issue represents a classic stored cross-site scripting vulnerability that allows authenticated attackers with privileges to create external links to inject malicious scripts into the application's database. The vulnerability stems from inadequate input sanitization and output escaping mechanisms, creating a persistent security risk that can affect all users who view the compromised external links.
The technical implementation of this vulnerability involves multiple stages of insecure data handling that aligns with CWE-79 (Cross-site Scripting) and follows the typical attack pattern described in the ATT&CK framework under TA0001 (Initial Access) and TA0002 (Execution). When an authenticated user creates an external link through the web interface, the consolenewsection parameter is not properly validated or sanitized before being stored in the database. This parameter then gets reflected back to users in the index.php page without appropriate HTML escaping or context-specific output encoding, creating the perfect conditions for stored XSS exploitation.
The operational impact of this vulnerability extends beyond simple script injection, as it can enable attackers to perform session hijacking, defacement of monitoring dashboards, data exfiltration, and potentially escalate privileges within the Cacti environment. Since Cacti is commonly used in enterprise network monitoring scenarios, this vulnerability could provide attackers with access to critical infrastructure monitoring data and potentially allow them to manipulate or disable monitoring capabilities. The fact that the vulnerability affects database storage means that the malicious scripts persist even after the initial injection, making it particularly dangerous as it can affect multiple users over time. The vulnerability has been addressed in Cacti version 1.2.28, which includes proper input validation and output sanitization measures that prevent the consolenewsection parameter from being stored or reflected without appropriate security controls.
Organizations using Cacti should immediately upgrade to version 1.2.28 or later to remediate this vulnerability, as there are no effective workarounds available that would maintain the full functionality of the external link creation feature while providing adequate protection. The vulnerability demonstrates the critical importance of input validation and output escaping in web applications, particularly in monitoring systems where the integrity of displayed information is paramount for system security and operational continuity. Security teams should also implement network monitoring to detect potential exploitation attempts and consider additional defensive measures such as web application firewalls to protect against similar vulnerabilities in other components of their monitoring infrastructure.