6.1 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
7.4 High
AI Score
Confidence
Low
0.001 Low
EPSS
Percentile
20.6%
Cacti provides an operational monitoring and fault management framework.
Versions of Cacti prior to 1.2.27 contain a residual cross-site scripting
vulnerability caused by an incomplete fix for CVE-2023-50250.
raise_message_javascript
from lib/functions.php
now uses purify.js to
fix CVE-2023-50250 (among others). However, it still generates the code out
of unescaped PHP variables $title
and $header
. If those variables
contain single quotes, they can be used to inject JavaScript code. An
attacker exploiting this vulnerability could execute actions on behalf of
other users. This ability to impersonate users could lead to unauthorized
changes to settings. Version 1.2.27 fixes this issue.
6.1 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
7.4 High
AI Score
Confidence
Low
0.001 Low
EPSS
Percentile
20.6%