CVE-2023-39510

Cacti is an open source operational monitoring and fault management
framework. Affected versions are subject to a Stored Cross-Site-Scripting
(XSS) Vulnerability allows an authenticated user to poison data stored in
the cacti’s database. These data will be viewed by administrative cacti
accounts and execute JavaScript code in the victim’s browser at view-time.
Thereports_admin.php script displays reporting information about graphs,
devices, data sources etc. CENSUS found that an adversary that is able to
configure a malicious Device name, can deploy a stored XSS attack against
any user of the same (or broader) privileges. A user that possesses the
General Administration>Sites/Devices/Data permissions can configure the
device names in cacti. This configuration occurs through
http://<HOST>/cacti/host.php, while the rendered malicious payload is
exhibited at http://<HOST>/cacti/reports_admin.php when the a graph with
the maliciously altered device name is linked to the report. This
vulnerability has been addressed in version 1.2.25. Users are advised to
upgrade. Users unable to update should manually filter HTML output.