CVE-2023-50250

EUVD-2023-55066
Cacti is an open source operational monitoring and fault management framework. A reflection cross-site scripting vulnerability was discovered in version 1.2.25. Attackers can exploit this vulnerability to perform actions on behalf of other users. The vulnerability is found in `templates_import.php.` When uploading an xml template file, if the XML file does not pass the check, the server will give a JavaScript pop-up prompt, which contains unfiltered xml template file name, resulting in XSS. An attacker exploiting this vulnerability could execute actions on behalf of other users. This ability to impersonate users could lead to unauthorized changes to settings. As of time of publication, no patched versions are available.
Cross-site Scripting
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
5.4 MEDIUM
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L
GitHub_MCNA
5.4 MEDIUM
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L
Base Score
CVSS 3.x
EPSS Score
Percentile: 85%
Affected Products (NVD)
VendorProductVersion
cacticacti
1.2.25
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
cacti
bookworm
1.2.24+ds1-1+deb12u4
fixed
bookworm (security)
1.2.24+ds1-1+deb12u2
fixed
bullseye
1.2.16+ds1-2+deb11u3
not-affected
bullseye (security)
1.2.16+ds1-2+deb11u4
fixed
buster
not-affected
sid
1.2.28+ds1-3
fixed
trixie
1.2.28+ds1-3
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
cacti
bionic
needs-triage
focal
needs-triage
jammy
needs-triage
lunar
ignored
mantic
ignored
noble
not-affected
oracular
not-affected
trusty
ignored
xenial
needs-triage
Common Weakness Enumeration
References
https://github.com/Cacti/cacti/blob/5f6f65c215d663a775950b2d9db35edbaf07d680/templates_import.php
https://github.com/Cacti/cacti/security/advisories/GHSA-xwqc-7jc4-xm73
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RBEOAFKRARQHTDIYSL723XAFJ2Q6624X/
https://github.com/Cacti/cacti/blob/5f6f65c215d663a775950b2d9db35edbaf07d680/templates_import.php
https://github.com/Cacti/cacti/security/advisories/GHSA-xwqc-7jc4-xm73
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RBEOAFKRARQHTDIYSL723XAFJ2Q6624X/