Cacti up to 1.2.24 host.php cross site scripting

Summaryinfo

A vulnerability was found in Cacti up to 1.2.24 and classified as problematic. This issue affects some unknown processing of the file host.php. Executing a manipulation can lead to cross site scripting. This vulnerability appears as CVE-2023-39513. The attack may be performed from remote. There is no available exploit. It is suggested to upgrade the affected component.

Detailsinfo

A vulnerability was found in Cacti up to 1.2.24 (Log Management Software). It has been declared as problematic. This vulnerability affects an unknown code of the file host.php. The manipulation with an unknown input leads to a cross site scripting vulnerability. The CWE definition for the vulnerability is CWE-79. The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. As an impact it is known to affect integrity. CVE summarizes:

Cacti is an open source operational monitoring and fault management framework. Affected versions are subject to a Stored Cross-Site-Scripting (XSS) Vulnerability which allows an authenticated user to poison data stored in the _cacti_'s database. These data will be viewed by administrative _cacti_ accounts and execute JavaScript code in the victim's browser at view-time. The script under `host.php` is used to monitor and manage hosts in the _cacti_ app, hence displays useful information such as data queries and verbose logs. _CENSUS_ found that an adversary that is able to configure a data-query template with malicious code appended in the template path, in order to deploy a stored XSS attack against any user with the _General Administration>Sites/Devices/Data_ privileges. A user that possesses the _Template Editor>Data Queries_ permissions can configure the data query template path in _cacti_. Please note that such a user may be a low privileged user. This configuration occurs through `http:///cacti/data_queries.php` by editing an existing or adding a new data query template. If a template is linked to a device then the formatted template path will be rendered in the device's management page, when a _verbose data query_ is requested. This vulnerability has been addressed in version 1.2.25. Users are advised to upgrade. Users unable to update should manually filter HTML output.

The weakness was presented 09/06/2023 as GHSA-9fj7-8f2j-2rw2. The advisory is available at github.com. This vulnerability was named CVE-2023-39513 since 08/03/2023. Successful exploitation requires user interaction by the victim. Technical details are known, but there is no available exploit. This vulnerability is assigned to T1059.007 by the MITRE ATT&CK project.

By approaching the search of inurl:host.php it is possible to find vulnerable targets with Google Hacking. The vulnerability scanner Nessus provides a plugin with the ID 257979 (Linux Distros Unpatched Vulnerability : CVE-2023-39513), which helps to determine the existence of the flaw in a target environment.

Upgrading to version 1.2.25 eliminates this vulnerability.

The vulnerability is also documented in the vulnerability database at Tenable (257979). If you want to get best quality of vulnerability data, you may have to visit VulDB.

Productinfo

Type

• Log Management Software

Name

• Cacti

Version

• 1.2.0
• 1.2.1
• 1.2.2
• 1.2.3
• 1.2.4
• 1.2.5
• 1.2.6
• 1.2.7
• 1.2.8
• 1.2.9
• 1.2.10
• 1.2.11
• 1.2.12
• 1.2.13
• 1.2.14
• 1.2.15
• 1.2.16
• 1.2.17
• 1.2.18
• 1.2.19
• 1.2.20
• 1.2.21
• 1.2.22
• 1.2.23
• 1.2.24

License

• open-source

Website

• Product: https://github.com/Cacti/cacti/

CPE 2.3info

• 🔍
• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍
• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

If you want to get best quality of vulnerability data, you may have to visit VulDB.

Discussion