6.1 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
0.001 Low
EPSS
Percentile
20.7%
Cacti is an open source operational monitoring and fault management
framework. A reflection cross-site scripting vulnerability was discovered
in version 1.2.25. Attackers can exploit this vulnerability to perform
actions on behalf of other users. The vulnerability is found in
templates_import.php.
When uploading an xml template file, if the XML
file does not pass the check, the server will give a JavaScript pop-up
prompt, which contains unfiltered xml template file name, resulting in XSS.
An attacker exploiting this vulnerability could execute actions on behalf
of other users. This ability to impersonate users could lead to
unauthorized changes to settings. As of time of publication, no patched
versions are available.