6.1 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
HIGH
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N
0.001 Low
EPSS
Percentile
23.3%
Cacti is an open source operational monitoring and fault management
framework. Affected versions are subject to a Stored Cross-Site-Scripting
(XSS) Vulnerability which allows an authenticated user to poison data
stored in the cacti’s database. These data will be viewed by
administrative cacti accounts and execute JavaScript code in the victim’s
browser at view-time. The script under graphs.php
displays graph details
such as data-source paths, data template information and graph related
fields. CENSUS found that an adversary that is able to configure either a
data-source template with malicious code appended in the data-source name
or a device with a malicious payload injected in the device name, may
deploy a stored XSS attack against any user with General
Administration>Graphs privileges. A user that possesses the Template
Editor>Data Templates permissions can configure the data-source name in
cacti. Please note that this may be a low privileged user. This
configuration occurs through http://<HOST>/cacti/data_templates.php
by
editing an existing or adding a new data template. If a template is linked
to a graph then the formatted template name will be rendered in the graph’s
management page. A user that possesses the General
Administration>Sites/Devices/Data permissions can configure the device
name in cacti. This vulnerability has been addressed in version 1.2.25.
Users are advised to upgrade. Users unable to upgrade should add manual
HTML escaping.