CVE-2023-39511: Stored Cross-Site-Scripting (XSS) Vulnerability in Cacti Monitoring Framework and How to Mitigate It

Cacti is a widely used open source software for operational monitoring and fault management, which provides a simple and intuitive platform for managing and monitoring graphs, devices, and data sources. Recently, a Stored Cross-Site-Scripting (XSS) vulnerability (CVE-2023-39511) has been discovered in certain versions of Cacti that allows an attacker to inject malicious JavaScript code into the Cacti's database. This code will be executed when the data is viewed by an administrative Cacti account. In this post, we will discuss the details of this vulnerability and provide recommendations on how to protect your Cacti installation from this exploit.

Exploit Details

The vulnerability exists in the script reports_admin.php, which displays reporting information about graphs, devices, data sources, etc. Researchers at CENSUS found that an attacker who can configure a malicious device name, related to a graph attached to a report, can deploy a stored XSS attack against any super user with privileges to view the reports_admin.php page, such as administrative accounts. To exploit this vulnerability, a user with _General Administration > Sites/Devices/Data_ permissions can configure the device names in Cacti through http://<HOST>/cacti/host.php. The malicious payload is then displayed at http://<HOST>/cacti/reports_admin.php when a graph with the maliciously altered device name is linked to the report.

Affected Versions

This vulnerability affects Cacti versions prior to 1.2.25.

Example of a malicious device name that can be used to exploit the stored XSS vulnerability

<script>alert('XSS');</script>

By configuring a device name with this script, an attacker can execute JavaScript code when the data is viewed by an administrative Cacti account.

Mitigation

The Cacti development team has addressed this issue in version 1.2.25. Users are strongly advised to upgrade their Cacti installation to the latest version to protect against this vulnerability.

Original References

1. Cacti's Official Website
2. CVE-2023-39511 – Stored XSS vulnerability in Cacti

For users who are unable to upgrade, a temporary workaround can be applied by manually filtering HTML output in the vulnerable PHP script reports_admin.php. This can be done by using PHP's built-in functions such as htmlspecialchars() or strip_tags() to sanitize user inputs before storing them in the Cacti database.

Conclusion

The CVE-2023-39511 vulnerability in Cacti highlights the importance of keeping your software up to date and applying security best practices. By upgrading to the latest Cacti version or implementing the suggested workaround, users can protect their installations from this stored XSS vulnerability and ensure the integrity of their system.

Timeline

Published on: 09/06/2023 18:15:08 UTC
Last modified on: 11/03/2023 21:15:15 UTC