CVE-2023-39366 Common Vulnerabilities and Exposures

Upstream information

CVE-2023-39366 at MITRE

Description

Cacti is an open source operational monitoring and fault management framework. Affected versions are subject to a Stored Cross-Site-Scripting (XSS) Vulnerability allows an authenticated user to poison data stored in the _cacti_'s database. These data will be viewed by administrative _cacti_ accounts and execute JavaScript code in the victim's browser at view-time. The `data_sources.php` script displays the data source management information (e.g. data source path, polling configuration etc.) for different data visualizations of the _cacti_ app.
CENSUS found that an adversary that is able to configure a malicious Device name, can deploy a stored XSS attack against any user of the same (or broader) privileges. A user that possesses the _General Administration>Sites/Devices/Data_ permissions can configure the device names in _cacti_. This configuration occurs through `http://<HOST>/cacti/host.php`, while the rendered malicious payload is exhibited at `http://<HOST>/cacti/data_sources.php`. This vulnerability has been addressed in version 1.2.25. Users are advised to upgrade. Users unable to update should manually filter HTML output.

SUSE information

Overall state of this security issue: Resolved

This issue is currently rated as having moderate severity.

CVSS v3 Scores
	National Vulnerability Database
Base Score	6.1
Vector	CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N
Attack Vector	Network
Attack Complexity	Low
Privileges Required	High
User Interaction	Required
Scope	Unchanged
Confidentiality Impact	High
Integrity Impact	High
Availability Impact	None
CVSSv3 Version	3.1

SUSE Bugzilla entry: 1215052 [RESOLVED / FIXED]

SUSE Security Advisories:

openSUSE-SU-2023:0275-1, published Tue Sep 26 22:45:11 2023

List of released packages

Product(s)	Fixed package version(s)	References
SUSE Package Hub 12	`cacti >= 1.2.25-35.1` `cacti-spine >= 1.2.25-29.1`	Patchnames: openSUSE-2023-275
SUSE Package Hub 15 SP4	`cacti >= 1.2.25-bp154.2.9.1` `cacti-spine >= 1.2.25-bp154.2.9.1`	Patchnames: openSUSE-2023-275
SUSE Package Hub 15 SP5	`cacti >= 1.2.25-bp155.2.3.1` `cacti-spine >= 1.2.25-bp155.2.3.1`	Patchnames: openSUSE-2023-275
openSUSE Leap 15.4	`cacti >= 1.2.25-bp154.2.9.1` `cacti-spine >= 1.2.25-bp154.2.9.1`	Patchnames: openSUSE-2023-275
openSUSE Leap 15.5	`cacti >= 1.2.25-bp155.2.3.1` `cacti-spine >= 1.2.25-bp155.2.3.1`	Patchnames: openSUSE-2023-275
openSUSE Tumbleweed	`cacti >= 1.2.25-2.1`	Patchnames: openSUSE-Tumbleweed-2024-13203

SUSE Timeline for this CVE

CVE page created: Wed Sep 6 00:00:13 2023
CVE page last modified: Tue Sep 3 19:30:18 2024