Описание
Cacti is an open source operational monitoring and fault management framework. The fix applied for CVE-2023-39515 in version 1.2.25 is incomplete as it enables an adversary to have a victim browser execute malicious code when a victim user hovers their mouse over the malicious data source path in data_debug.php. To perform the cross-site scripting attack, the adversary needs to be an authorized cacti user with the following permissions: General Administration>Sites/Devices/Data. The victim of this attack could be any account with permissions to view http://<HOST>/cacti/data_debug.php. As of time of publication, no complete fix has been included in Cacti.
Ссылки
- ExploitVendor Advisory
- ExploitVendor Advisory
- ExploitVendor Advisory
- ExploitVendor Advisory
- ExploitVendor Advisory
- ExploitVendor Advisory
Уязвимые конфигурации
EPSS
6.1 Medium
CVSS3
4.8 Medium
CVSS3
Дефекты
Связанные уязвимости
Cacti is an open source operational monitoring and fault management framework. The fix applied for CVE-2023-39515 in version 1.2.25 is incomplete as it enables an adversary to have a victim browser execute malicious code when a victim user hovers their mouse over the malicious data source path in `data_debug.php`. To perform the cross-site scripting attack, the adversary needs to be an authorized cacti user with the following permissions: `General Administration>Sites/Devices/Data`. The victim of this attack could be any account with permissions to view `http://<HOST>/cacti/data_debug.php`. As of time of publication, no complete fix has been included in Cacti.
Cacti is an open source operational monitoring and fault management fr ...
Уязвимость программного средства мониторинга сети Cacti, существующая из-за непринятия мер по защите структуры веб-страницы, позволяющая нарушителю выполнить произвольный код
EPSS
6.1 Medium
CVSS3
4.8 Medium
CVSS3