Unrated severityNVD Advisory· Published Sep 5, 2023· Updated Feb 13, 2025

Stored Cross-site Scripting in reports_admin.php through Device-Name in 'select' input in Cacti

CVE-2023-39510

Description

Cacti is an open source operational monitoring and fault management framework. Affected versions are subject to a Stored Cross-Site-Scripting (XSS) Vulnerability allows an authenticated user to poison data stored in the _cacti_'s database. These data will be viewed by administrative _cacti_ accounts and execute JavaScript code in the victim's browser at view-time. Thereports_admin.php script displays reporting information about graphs, devices, data sources etc. CENSUS found that an adversary that is able to configure a malicious Device name, can deploy a stored XSS attack against any user of the same (or broader) privileges. A user that possesses the _General Administration>Sites/Devices/Data_ permissions can configure the device names in _cacti_. This configuration occurs through http:///cacti/host.php, while the rendered malicious payload is exhibited at http:///cacti/reports_admin.php when the a graph with the maliciously altered device name is linked to the report. This vulnerability has been addressed in version 1.2.25. Users are advised to upgrade. Users unable to update should manually filter HTML output.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

Cacti (software)/Cactillm-fuzzy2 versions
<1.2.25+ 1 more
- (no CPE)range: <1.2.25
- (no CPE)range: < 1.2.25
osv-coords11 versions
pkg:rpm/opensuse/cacti&distro=openSUSE%20Leap%2015.4 pkg:rpm/opensuse/cacti&distro=openSUSE%20Leap%2015.5 pkg:rpm/opensuse/cacti&distro=openSUSE%20Tumbleweed pkg:rpm/opensuse/cacti-spine&distro=openSUSE%20Leap%2015.4 pkg:rpm/opensuse/cacti-spine&distro=openSUSE%20Leap%2015.5 pkg:rpm/suse/cacti&distro=SUSE%20Package%20Hub%2012 pkg:rpm/suse/cacti&distro=SUSE%20Package%20Hub%2015%20SP4 pkg:rpm/suse/cacti&distro=SUSE%20Package%20Hub%2015%20SP5 pkg:rpm/suse/cacti-spine&distro=SUSE%20Package%20Hub%2012 pkg:rpm/suse/cacti-spine&distro=SUSE%20Package%20Hub%2015%20SP4 pkg:rpm/suse/cacti-spine&distro=SUSE%20Package%20Hub%2015%20SP5
< 1.2.25-bp155.2.3.1+ 10 more
- (no CPE)range: < 1.2.25-bp155.2.3.1
- (no CPE)range: < 1.2.25-bp155.2.3.1
- (no CPE)range: < 1.2.25-2.1
- (no CPE)range: < 1.2.25-bp155.2.3.1
- (no CPE)range: < 1.2.25-bp155.2.3.1
- (no CPE)range: < 1.2.25-bp155.2.3.1
- (no CPE)range: < 1.2.25-bp155.2.3.1
- (no CPE)range: < 1.2.25-bp155.2.3.1
- (no CPE)range: < 1.2.25-bp155.2.3.1
- (no CPE)range: < 1.2.25-bp155.2.3.1
- (no CPE)range: < 1.2.25-bp155.2.3.1

Patches

Vulnerability mechanics

Root cause

"The application does not properly sanitize user-supplied device names before rendering them in reports, allowing for the injection of JavaScript code."

Attack vector

An authenticated user with 'General Administration>Sites/Devices/Data' permissions can configure a malicious device name via `host.php` [ref_id=1]. This malicious payload, when included in a report displayed on `reports_admin.php`, will execute JavaScript in the browser of any user viewing that report [ref_id=1]. The JavaScript payload is temporarily appended to the DOM via `$.fn.textBoxWidth` and then removed, but executes at view-time [ref_id=1].

Affected code

The vulnerability lies within the `reports_admin.php` script, specifically in how device names are handled. The relevant code paths identified include `html_reports.php` lines 1008-1019, `lib/html_reports.php` line 1116, and `html_form.php` line 895, which interact with `includes/layout.js` line 283 [ref_id=1].

What the fix does

The advisory recommends either treating user-supplied information as plain text or escaping HTML content to prevent malicious code execution. For client-side JavaScript, it advises against appending user-controlled input directly into the DOM [ref_id=1]. Users unable to upgrade to version 1.2.25 should manually filter HTML output.

Preconditions

authAttacker must be an authenticated Cacti user with 'General Administration>Sites/Devices/Data' permissions.
authVictim must be a user with privileges to view the reports page (`reports_admin.php`).

Reproduction

POST /cacti/host.php?header=false HTTP/1.1 Host: <HOST> User-Agent: Mozilla/5.0 (X11; Linux aarch64; rv:102.0) Gecko/20100101 Firefox/102.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 885 Origin: http://<HOST> Connection: close Cookie: Cacti=<COOKIE>

__csrf_magic=<CSRF TOKEN>&description=Local+Linux+Machine%3Cscript%3Ealert('host.php')%3C%2Fscript%3E&hostname=localhost=&poller_id=1&site_id=0&host_template_id=7&device_threads=1&snmp_version=0&snmp_community=public&snmp_security_level=authPriv&snmp_auth_protocol=MD5&snmp_username=&snmp_password=&snmp_password_confirm=&snmp_priv_protocol=DES&snmp_priv_passphrase=&snmp_priv_passphrase_confirm=&snmp_context=&snmp_engine_id=&snmp_port=161&snmp_timeout=500&max_oids=10&bulk_walk_size=-1&availability_method=0&ping_method=1&ping_port=23&ping_timeout=400&ping_retries=1&notes=Initial+Cacti+Device&external_id=&id=1&save_component_host=1&graph_template_id=5&reindex_radio_1=on&reindex_radio_16=on&snmp_query_id=3&reindex_method=0&action=save

GET /cacti/reports_admin.php?action=item_edit&id=1&item_id=1 HTTP/1.1 Host: <HOST> User-Agent: Mozilla/5.0 (X11; Linux aarch64; rv:102.0) Gecko/20100101 Firefox/102.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: close Cookie: CactiDateTime=<COOKIE> Upgrade-Insecure-Requests: 1 [ref_id=1]

Generated on Jun 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.001
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000