6.1 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
HIGH
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N
5 Medium
AI Score
Confidence
High
0.001 Low
EPSS
Percentile
35.8%
Cacti is an open source operational monitoring and fault management
framework. The fix applied for CVE-2023-39515 in version 1.2.25 is
incomplete as it enables an adversary to have a victim browser execute
malicious code when a victim user hovers their mouse over the malicious
data source path in data_debug.php
. To perform the cross-site scripting
attack, the adversary needs to be an authorized cacti user with the
following permissions: General Administration>Sites/Devices/Data
. The
victim of this attack could be any account with permissions to view
http://<HOST>/cacti/data_debug.php
. As of time of publication, no
complete fix has been included in Cacti.
6.1 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
HIGH
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N
5 Medium
AI Score
Confidence
High
0.001 Low
EPSS
Percentile
35.8%