CVE-2024-31444

2024-05-1415:25:20

CWE-79

[email protected]

web.nvd.nist.gov

cacti

cross-site scripting

html

security patch

4.6 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:L

5.9 Medium

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

8.8%

JSON

Cacti provides an operational monitoring and fault management framework. Prior to version 1.2.27, some of the data stored in automation_tree_rules_form_save() function in automation_tree_rules.php is not thoroughly checked and is used to concatenate the HTML statement in form_confirm() function from lib/html.php , finally resulting in cross-site scripting. Version 1.2.27 contains a patch for the issue.

Affected configurations

Vulners

Node

cacticactiRange<1.2.27

VendorProductVersionCPE
cacticacti*cpe:2.3:a:cacti:cacti:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
cacti	cacti	*	cpe:2.3:a:cacti:cacti::::::::

CNA Affected

[
  {
    "vendor": "Cacti",
    "product": "cacti",
    "versions": [
      {
        "version": "< 1.2.27",
        "status": "affected"
      }
    ]
  }
]