CVE-2024-31444

2024-05-1415:25:20

CWE-79

GitHub_M

web.nvd.nist.gov

cacti

cross-site scripting

html

security patch

CVSS3

4.6

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:L

AI Score

5.9

Confidence

High

EPSS

Percentile

9.0%

JSON

Cacti provides an operational monitoring and fault management framework. Prior to version 1.2.27, some of the data stored in automation_tree_rules_form_save() function in automation_tree_rules.php is not thoroughly checked and is used to concatenate the HTML statement in form_confirm() function from lib/html.php , finally resulting in cross-site scripting. Version 1.2.27 contains a patch for the issue.

Affected configurations

Vulners

Vulnrichment

Node

cacticactiRange<1.2.27

VendorProductVersionCPE
cacticacti*cpe:2.3:a:cacti:cacti:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
cacti	cacti	*	cpe:2.3:a:cacti:cacti::::::::

CNA Affected

[
  {
    "vendor": "Cacti",
    "product": "cacti",
    "versions": [
      {
        "version": "< 1.2.27",
        "status": "affected"
      }
    ]
  }
]