CVE-2024-43362 Information
Description
Cacti is an open source performance and fault management framework. The fileurl parameter is not properly sanitized when saving external links in links.php . Morever the said fileurl is placed in some html code which is passed to the print function in link.php and index.php finally leading to stored XSS. Users with the privilege to create external links can manipulate the fileurl parameter in the http post request while creating external links to perform stored XSS attacks. The vulnerability known as XSS (Cross-Site Scripting) occurs when an application allows untrusted user input to be displayed on a web page without proper validation or escaping. This issue has been addressed in release version 1.2.28. All users are advised to upgrade. There are no known workarounds for this issue.
Reference
https://github.com/Cacti/cacti/security/advisories/GHSA-wh9c-v56x-v77c
Cacti
is
an
open
source
performance
and
fault
management
framework.
The
fileurl
parameter
is
not
properly
sanitized
when
saving
external
links
in
links.php
.
Morever
the
said
fileurl
is
placed
in
some
html
code
which
is
passed
to
the
print
function
in
link.php
and
index.php
finally
leading
to
stored
XSS.
Users
with
the
privilege
to
create
external
links
can
manipulate
the
fileurl
parameter
in
the
http
post
request
while
creating
external
links
to
perform
stored
XSS
attacks.
The
vulnerability
known
as
XSS
(Cross-Site
Scripting)
occurs
when
an
application
allows
untrusted
user
input
to
be
displayed
on
a
web
page
without
proper
validation
or
escaping.
This
issue
has
been
addressed
in
release
version
1.2.28.
All
users
are
advised
to
upgrade.
There
are
no
known
workarounds
for
this
issue.