If you rely on Cacti for network or service monitoring, it’s time to check your version and lock things down. Cacti is widely used for its easy interface and open source power. But a recent disclosure—CVE-2023-39516—shows how a trusted user can plant dangerous scripts to run inside the browser of any admin who comes along later.

Let’s walk through what happened, see some code, and—most importantly—how you can stay safe.

Affected Versions: All versions prior to 1.2.25

- Exploitable By: Any authenticated user who can edit Data Source paths (usually those with 'General Administration > Sites/Devices/Data' permission)
- Patched In: Version 1.2.25 – Release Notes

Original Reference:

- CVE Record
- Cacti GitHub Fix
- CENSUS Advisory

Where’s The Bug?

Cacti lets users add and edit “Data Sources,” each with a “data-source path.” There’s no sanitation or HTML escaping on this field.

Malicious user sets the path to a string containing, say, a <script> tag.

2. Later, any admin visits the Data Sources page (via data_sources.php), and the script executes in their browser.

Who Can Exploit?

Any user who can edit Data Sources—often regular operators or “junior” admins. No need for a full admin role.

Attacker logs in.

2. Goes to http://<HOST>/cacti/data_sources.php

This is the kind of “data source path” that would trigger the XSS when displayed to an admin:

"><script>alert('XSS via CVE-2023-39516!');</script>

If you enter this as the “data-source path,” it will be saved directly to the database and shown to others.

Below, see a simplified *POST* request to add a malicious Data Source

POST /cacti/data_sources.php
Host: your-cacti-server
Cookie: Cacti_Session=your-session-cookie

id=new
name=BadXSSDataSource
data_input_id=1
...

<!-- Vulnerable field -->
data_source_path="><script>alert('XSS')</script>
...

Phish admins or inject further malware

Since Cacti consoles are often used for critical IT, this is a big deal.

Fix Status

- Patched: In Cacti 1.2.25, all data displayed in Data Source management now has proper HTML escaping.
- Workaround: If upgrading is not possible, sanitize (escape) output on data_sources.php. For PHP, you’d wrap any variable displayed with htmlspecialchars().

Example Fix

<!-- Old -->
<td><?=$data_source['path']?></td>

<!-- Secure -->
<td><?=htmlspecialchars($data_source['path'], ENT_QUOTES, 'UTF-8')?></td>

What You Should Do

1. Upgrade.
Run Cacti version 1.2.25 or newer.

2. Limit User Permissions.
Don’t give data source edit rights to anyone who doesn’t desperately need it.

3. Regularly Audit Database Content.
Review user-created data sources for suspicious code.

4. Escape Output Everywhere.
Get in the habit of using PHP’s htmlspecialchars() (or similar) on anything user-built.

- CVE-2023-39516 @ NVD
- Cacti Official Site
- Cacti 1.2.25 Release Notes
- Census Labs Advisory
- GitHub Fix Commit

Summary

CVE-2023-39516 lets any trusted user with the right permission plant JavaScript in your Cacti database, waiting to hijack or phish actual admins. Patch to 1.2.25, lock down permissions, and always escape user data in output. Don’t wait—fix your monitoring before attackers do.


Notice:
This write-up is an exclusive, plain-language guide for security teams and admins. Always test in safe environments and keep up-to-date on vendor security advisories.

Timeline

Published on: 09/05/2023 22:15:09 UTC
Last modified on: 11/09/2023 05:15:10 UTC