Open redirect in change password functionality in Cacti
Description
Cacti is an open source operational monitoring and fault management framework. In Cacti 1.2.24, users with console access can be redirected to an arbitrary website after a change password performed via a specifically crafted URL. The auth_changepassword.php file accepts ref as a URL parameter and reflects it in the form used to perform the change password. It's value is used to perform a redirect via header PHP function. A user can be tricked in performing the change password operation, e.g., via a phishing message, and then interacting with the malicious website where the redirection has been performed, e.g., downloading malwares, providing credentials, etc. This issue has been addressed in version 1.2.25. Users are advised to upgrade. There are no known workarounds for this vulnerability.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
13<=1.2.24+ 1 more
- (no CPE)range: <=1.2.24
- (no CPE)range: < 1.2.25
- osv-coords11 versionspkg:rpm/opensuse/cacti&distro=openSUSE%20Leap%2015.4pkg:rpm/opensuse/cacti&distro=openSUSE%20Leap%2015.5pkg:rpm/opensuse/cacti&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/cacti-spine&distro=openSUSE%20Leap%2015.4pkg:rpm/opensuse/cacti-spine&distro=openSUSE%20Leap%2015.5pkg:rpm/suse/cacti&distro=SUSE%20Package%20Hub%2012pkg:rpm/suse/cacti&distro=SUSE%20Package%20Hub%2015%20SP4pkg:rpm/suse/cacti&distro=SUSE%20Package%20Hub%2015%20SP5pkg:rpm/suse/cacti-spine&distro=SUSE%20Package%20Hub%2012pkg:rpm/suse/cacti-spine&distro=SUSE%20Package%20Hub%2015%20SP4pkg:rpm/suse/cacti-spine&distro=SUSE%20Package%20Hub%2015%20SP5
< 1.2.25-bp155.2.3.1+ 10 more
- (no CPE)range: < 1.2.25-bp155.2.3.1
- (no CPE)range: < 1.2.25-bp155.2.3.1
- (no CPE)range: < 1.2.25-2.1
- (no CPE)range: < 1.2.25-bp155.2.3.1
- (no CPE)range: < 1.2.25-bp155.2.3.1
- (no CPE)range: < 1.2.25-bp155.2.3.1
- (no CPE)range: < 1.2.25-bp155.2.3.1
- (no CPE)range: < 1.2.25-bp155.2.3.1
- (no CPE)range: < 1.2.25-bp155.2.3.1
- (no CPE)range: < 1.2.25-bp155.2.3.1
- (no CPE)range: < 1.2.25-bp155.2.3.1
Patches
Vulnerability mechanics
Root cause
"The `auth_changepassword.php` script reflects a user-supplied URL parameter directly into a redirect header without proper validation."
Attack vector
An attacker can craft a URL containing a malicious website in the `ref` parameter and trick a user with console access into clicking it. When the user performs a password change via this crafted URL, they will be redirected to the attacker-controlled site [ref_id=1]. This redirection can lead to malware downloads or credential harvesting [ref_id=1].
Affected code
The `auth_changepassword.php` file is affected. Specifically, the `get_nfilter_request_var('ref')` function retrieves the value of the `ref` parameter, which is then used in a `header('Location: ...')` call after potentially being processed by `sanitize_uri` and `get_request_var` [ref_id=1]. The `sanitize_uri` function only cleans up for XSS, and `get_nfilter_request_var` defers filtering, allowing arbitrary URLs to be passed to the redirect function [ref_id=1].
What the fix does
The vulnerability is addressed in Cacti version 1.2.25. The advisory indicates that the `auth_changepassword.php` file accepts the `ref` URL parameter and uses it in a redirect via the `header` PHP function without sufficient validation [ref_id=1]. Users are advised to upgrade to version 1.2.25 to mitigate this issue.
Preconditions
- authThe target user must have console access permissions.
- configThe target user's login options must be set to 'Show the page that user pointed their browser to.' (case '1'), which is the default behavior.
Reproduction
Send to the target user a link like the following: `https://<cacti_installation>/auth_changepassword.php?ref=https://<malicious_website>`. After the change password operation, the browser will be redirected to the malicious website [ref_id=1].
Generated on Jun 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- github.com/Cacti/cacti/security/advisories/GHSA-4pjv-rmrp-r59xmitrex_refsource_CONFIRM
- lists.debian.org/debian-lts-announce/2024/03/msg00018.htmlmitre
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CFH3J2WVBKY4ZJNMARVOWJQK6PSLPHFH/mitre
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WOQFYGLZBAWT4AWNMO7DU73QXWPXTCKH/mitre
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WZGB2UXJEUYWWA6IWVFQ3ZTP22FIHMGN/mitre
- www.debian.org/security/2023/dsa-5550mitre
News mentions
0No linked articles in our index yet.