CVE-2023-39366: Stored Cross-Site-Scripting (XSS) Vulnerability in Cacti's data_sources.php Affects Versions up to 1.2.24

Cacti is an open source operational monitoring and fault management framework that aids in the visualization and management of network resources. Recently, a Stored Cross-Site-Scripting (XSS) vulnerability, identified as CVE-2023-39366, was discovered in Cacti's data_sources.php script. This vulnerability allows an authenticated user to poison data stored in Cacti's database, leading to the execution of JavaScript code in the victim's browser when viewed by administrative Cacti accounts.

Vulnerability Details

The data_sources.php script, which is responsible for displaying data source management information (e.g. data source path, polling configuration, etc.) for different data visualizations of the Cacti app, is affected by the XSS vulnerability. Researchers at CENSUS found that an attacker with the ability to configure a malicious Device name can exploit this vulnerability to conduct a stored XSS attack against any user with the same or broader privileges.

An attacker would need to have General Administration > Sites/Devices/Data permissions to exploit this vulnerability, as it allows them to configure device names in Cacti. The configuration takes place through http://<HOST>/cacti/host.php, and the rendered malicious payload is exhibited at http://<HOST>/cacti/data_sources.php.

Please refer to the original references for more information

- Cacti's CVE-2023-39366 Announcement
- CENSUS Security Blog

Affected Versions

This vulnerability affects Cacti versions up to 1.2.24.

Mitigation Recommendations

This vulnerability has been addressed in Cacti version 1.2.25. Users are advised to update their Cacti installations to this version as soon as possible to mitigate the risk. If for any reason users are unable to update, it is recommended to manually filter HTML output to protect against potential exploitation.

Below is an example of a malicious Device name that could be used to exploit the vulnerability

"><script>alert('XSS')</script>

Summary

CVE-2023-39366 presents a significant security risk to Cacti users, as it allows an authenticated user to poison data in the database and execute JavaScript code in a victim's browser upon viewing. By updating to Cacti version 1.2.25 or manually filtering HTML output, users can mitigate the risk associated with this vulnerability. Be sure to stay informed about the latest security advisories and updates to keep your network resources secure.

Timeline

Published on: 09/05/2023 21:15:46 UTC
Last modified on: 11/09/2023 05:15:10 UTC