CVE-2023-39514

Cacti is an open source operational monitoring and fault management
framework. Affected versions are subject to a Stored Cross-Site-Scripting
(XSS) Vulnerability which allows an authenticated user to poison data
stored in the cacti’s database. These data will be viewed by
administrative cacti accounts and execute JavaScript code in the victim’s
browser at view-time. The script under graphs.php displays graph details
such as data-source paths, data template information and graph related
fields. CENSUS found that an adversary that is able to configure either a
data-source template with malicious code appended in the data-source name
or a device with a malicious payload injected in the device name, may
deploy a stored XSS attack against any user with General
Administration>Graphs privileges. A user that possesses the Template
Editor>Data Templates permissions can configure the data-source name in
cacti. Please note that this may be a low privileged user. This
configuration occurs through http://<HOST>/cacti/data_templates.php by
editing an existing or adding a new data template. If a template is linked
to a graph then the formatted template name will be rendered in the graph’s
management page. A user that possesses the General
Administration>Sites/Devices/Data permissions can configure the device
name in cacti. This vulnerability has been addressed in version 1.2.25.
Users are advised to upgrade. Users unable to upgrade should add manual
HTML escaping.