Unrated severityNVD Advisory· Published Sep 5, 2023· Updated Feb 13, 2025

Reflected Cross-site Scripting in graphs_new.php in Cacti

CVE-2023-39360

Description

Cacti is an open source operational monitoring and fault management framework.Affected versions are subject to a Stored Cross-Site-Scripting (XSS) Vulnerability allows an authenticated user to poison data. The vulnerability is found in graphs_new.php. Several validations are performed, but the returnto parameter is directly passed to form_save_button. In order to bypass this validation, returnto must contain host.php. This vulnerability has been addressed in version 1.2.25. Users are advised to upgrade. Users unable to update should manually filter HTML output.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

Cacti (software)/Cactillm-fuzzy2 versions
<1.2.25+ 1 more
- (no CPE)range: <1.2.25
- (no CPE)range: < 1.2.25
osv-coords11 versions
pkg:rpm/opensuse/cacti&distro=openSUSE%20Leap%2015.4 pkg:rpm/opensuse/cacti&distro=openSUSE%20Leap%2015.5 pkg:rpm/opensuse/cacti&distro=openSUSE%20Tumbleweed pkg:rpm/opensuse/cacti-spine&distro=openSUSE%20Leap%2015.4 pkg:rpm/opensuse/cacti-spine&distro=openSUSE%20Leap%2015.5 pkg:rpm/suse/cacti&distro=SUSE%20Package%20Hub%2012 pkg:rpm/suse/cacti&distro=SUSE%20Package%20Hub%2015%20SP4 pkg:rpm/suse/cacti&distro=SUSE%20Package%20Hub%2015%20SP5 pkg:rpm/suse/cacti-spine&distro=SUSE%20Package%20Hub%2012 pkg:rpm/suse/cacti-spine&distro=SUSE%20Package%20Hub%2015%20SP4 pkg:rpm/suse/cacti-spine&distro=SUSE%20Package%20Hub%2015%20SP5
< 1.2.25-bp155.2.3.1+ 10 more
- (no CPE)range: < 1.2.25-bp155.2.3.1
- (no CPE)range: < 1.2.25-bp155.2.3.1
- (no CPE)range: < 1.2.25-2.1
- (no CPE)range: < 1.2.25-bp155.2.3.1
- (no CPE)range: < 1.2.25-bp155.2.3.1
- (no CPE)range: < 1.2.25-bp155.2.3.1
- (no CPE)range: < 1.2.25-bp155.2.3.1
- (no CPE)range: < 1.2.25-bp155.2.3.1
- (no CPE)range: < 1.2.25-bp155.2.3.1
- (no CPE)range: < 1.2.25-bp155.2.3.1
- (no CPE)range: < 1.2.25-bp155.2.3.1

Patches

Vulnerability mechanics

Root cause

"The `returnto` parameter is not properly sanitized before being used in the `onClick` attribute of a JavaScript function, allowing for script execution."

Attack vector

An authenticated user can exploit this vulnerability by navigating to `graphs_new.php` with a crafted `returnto` parameter. The parameter must contain `javascript:` and `host.php` to bypass validation. For example, `http://IP/cacti/graphs_new.php?returnto=javascript:alert(location.hash.substring(1))//host.php#XSS` can be used. When the 'Cancel' button is clicked, the embedded JavaScript is executed within the user's browser context [ref_id=1].

Affected code

The vulnerability resides in the `graphs_new.php` script, specifically where the `returnto` parameter is processed and passed to the `form_save_button` function. The `form_save_button` function then uses this parameter within an `onClick` attribute, which is vulnerable to injection if not properly escaped [ref_id=1].

What the fix does

The patch addresses the vulnerability by ensuring that the `returnto` parameter is properly validated and sanitized before being used. Specifically, the code now checks if the `returnto` parameter contains `host.php` and if not, it is set to an empty string, preventing the injection of malicious JavaScript. This ensures that the `returnto` parameter, when used in the `onClick` attribute, cannot be exploited to execute arbitrary scripts [ref_id=1].

Preconditions

authThe attacker must be authenticated to the Cacti application.

Reproduction

Login to Cacti. Access to "http://IP/cacti/graphs_new.php?returnto=javascript:alert(location.hash.substring(1))//host.php#XSS" Click the Cancel button. [ref_id=1]

Generated on Jun 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.001
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000