Stored Cross-site Scripting (XSS) when creating external links in Cacti
CVE-2024-43362

7.3HIGH

Key Information:

Vendor: Cacti
Status: Cacti
Vendor: CVE Published:; 7 October 2024

What is CVE-2024-43362?

The Cacti framework, utilized for performance and fault management, contains a vulnerability due to improper sanitization of the 'fileurl' parameter in 'links.php'. This flaw allows users with the privilege to create external links to inject malicious scripts, leading to stored XSS attacks. These injections can be executed whenever external links are rendered, posing a significant risk to users accessing the affected functionalities. The issue has been resolved in version 1.2.28, and users are strongly encouraged to upgrade immediately, as no workarounds are available to mitigate this risk.

Affected Version(s)

cacti < 1.2.28

References

https://github.com/Cacti/cacti/security/advisories/GHSA-w...

x_refsource_CONFIRM

CVSS V3.1

Score:

7.3

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Oct 7, 2024

JSON