CVE-2023-49086 - OpenCVE

Cacti is a robust performance and fault management framework and a frontend to RRDTool - a Time Series Database (TSDB). A vulnerability in versions prior to 1.2.27 bypasses an earlier fix for CVE-2023-39360, therefore leading to a DOM XSS attack. Exploitation of the vulnerability is possible for an authorized user. The vulnerable component is the `graphs_new.php`. The impact of the vulnerability is execution of arbitrary JavaScript code in the attacked user's browser. This issue has been patched in version 1.2.27.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Cacti	Cacti

Configuration 1 [-]

cpe:2.3:a:cacti:cacti:1.2.25:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://github.com/Cacti/cacti/commit/6ec01c8b2983bf4fcb86f8c647655f74090b5be9
https://github.com/Cacti/cacti/security/advisories/GHSA-wc73-r2vw-59pr
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RBEOAFKRARQHTDIYSL723XAFJ2Q6624X/

History

No history.

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2023-12-21T23:29:45.134Z

Updated: 2024-08-02T21:46:29.106Z

Reserved: 2023-11-21T18:57:30.428Z

Link: CVE-2023-49086

Vulnrichment

No data.

NVD

Status : Modified

Published: 2023-12-22T00:15:34.857

Modified: 2024-06-10T17:16:15.433

Link: CVE-2023-49086

Redhat

No data.

{"dataType": "CVE_RECORD", "cveMetadata": {"cveId": "CVE-2023-49086", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2023-11-21T18:57:30.428Z", "datePublished": "2023-12-21T23:29:45.134Z", "dateUpdated": "2024-08-02T21:46:29.106Z"}, "containers": {"cna": {"title": "Cacti is vulnerable to cross-Site scripting (XSS) DOM ", "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "lang": "en", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/Cacti/cacti/security/advisories/GHSA-wc73-r2vw-59pr", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/Cacti/cacti/security/advisories/GHSA-wc73-r2vw-59pr"}, {"name": "https://github.com/Cacti/cacti/commit/6ec01c8b2983bf4fcb86f8c647655f74090b5be9", "tags": ["x_refsource_MISC"], "url": "https://github.com/Cacti/cacti/commit/6ec01c8b2983bf4fcb86f8c647655f74090b5be9"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RBEOAFKRARQHTDIYSL723XAFJ2Q6624X/"}], "affected": [{"vendor": "Cacti", "product": "cacti", "versions": [{"version": "< 1.2.27", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-06-03T12:54:31.990Z"}, "descriptions": [{"lang": "en", "value": "Cacti is a robust performance and fault management framework and a frontend to RRDTool - a Time Series Database (TSDB). A vulnerability in versions prior to 1.2.27 bypasses an earlier fix for CVE-2023-39360, therefore leading to a DOM XSS attack. Exploitation of the vulnerability is possible for an authorized user. The vulnerable component is the `graphs_new.php`. The impact of the vulnerability is execution of arbitrary JavaScript code in the attacked user's browser. This issue has been patched in version 1.2.27.\n"}], "source": {"advisory": "GHSA-wc73-r2vw-59pr", "discovery": "UNKNOWN"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T21:46:29.106Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/Cacti/cacti/security/advisories/GHSA-wc73-r2vw-59pr", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/Cacti/cacti/security/advisories/GHSA-wc73-r2vw-59pr"}, {"name": "https://github.com/Cacti/cacti/commit/6ec01c8b2983bf4fcb86f8c647655f74090b5be9", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/Cacti/cacti/commit/6ec01c8b2983bf4fcb86f8c647655f74090b5be9"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RBEOAFKRARQHTDIYSL723XAFJ2Q6624X/", "tags": ["x_transferred"]}]}]}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:cacti:cacti:1.2.25:*:*:*:*:*:*:*", "matchCriteriaId": "EF5814EC-CFCB-4066-9260-FF78B45E2089", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Cacti is a robust performance and fault management framework and a frontend to RRDTool - a Time Series Database (TSDB). A vulnerability in versions prior to 1.2.27 bypasses an earlier fix for CVE-2023-39360, therefore leading to a DOM XSS attack. Exploitation of the vulnerability is possible for an authorized user. The vulnerable component is the `graphs_new.php`. The impact of the vulnerability is execution of arbitrary JavaScript code in the attacked user's browser. This issue has been patched in version 1.2.27.\n"}, {"lang": "es", "value": "Cacti es un framework robusto de gesti\u00f3n de fallos y rendimiento y una interfaz para RRDTool - a Time Series Database (TSDB). Omitiendo una soluci\u00f3n anterior (CVE-2023-39360) que provoca un ataque DOM XSS. La explotaci\u00f3n de la vulnerabilidad es posible para un usuario autorizado. El componente vulnerable es `graphs_new.php`. Impacto de la vulnerabilidad: ejecuci\u00f3n de c\u00f3digo JavaScript arbitrario en el navegador del usuario atacado. Este problema se solucion\u00f3 en la versi\u00f3n 1.2.26."}], "id": "CVE-2023-49086", "lastModified": "2024-06-10T17:16:15.433", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 2.7, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2023-12-22T00:15:34.857", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/Cacti/cacti/commit/6ec01c8b2983bf4fcb86f8c647655f74090b5be9"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/Cacti/cacti/security/advisories/GHSA-wc73-r2vw-59pr"}, {"source": "security-advisories@github.com", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RBEOAFKRARQHTDIYSL723XAFJ2Q6624X/"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security-advisories@github.com", "type": "Primary"}]}