Stored Cross-site Scripting on host.php verbose data-query debug view in Cacti
Description
Cacti is an open source operational monitoring and fault management framework. Affected versions are subject to a Stored Cross-Site-Scripting (XSS) Vulnerability which allows an authenticated user to poison data stored in the _cacti_'s database. These data will be viewed by administrative _cacti_ accounts and execute JavaScript code in the victim's browser at view-time. The script under host.php is used to monitor and manage hosts in the _cacti_ app, hence displays useful information such as data queries and verbose logs. _CENSUS_ found that an adversary that is able to configure a data-query template with malicious code appended in the template path, in order to deploy a stored XSS attack against any user with the _General Administration>Sites/Devices/Data_ privileges. A user that possesses the _Template Editor>Data Queries_ permissions can configure the data query template path in _cacti_. Please note that such a user may be a low privileged user. This configuration occurs through http:///cacti/data_queries.php by editing an existing or adding a new data query template. If a template is linked to a device then the formatted template path will be rendered in the device's management page, when a _verbose data query_ is requested. This vulnerability has been addressed in version 1.2.25. Users are advised to upgrade. Users unable to update should manually filter HTML output.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
13<1.2.25+ 1 more
- (no CPE)range: <1.2.25
- (no CPE)range: < 1.2.25
- osv-coords11 versionspkg:rpm/opensuse/cacti&distro=openSUSE%20Leap%2015.4pkg:rpm/opensuse/cacti&distro=openSUSE%20Leap%2015.5pkg:rpm/opensuse/cacti&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/cacti-spine&distro=openSUSE%20Leap%2015.4pkg:rpm/opensuse/cacti-spine&distro=openSUSE%20Leap%2015.5pkg:rpm/suse/cacti&distro=SUSE%20Package%20Hub%2012pkg:rpm/suse/cacti&distro=SUSE%20Package%20Hub%2015%20SP4pkg:rpm/suse/cacti&distro=SUSE%20Package%20Hub%2015%20SP5pkg:rpm/suse/cacti-spine&distro=SUSE%20Package%20Hub%2012pkg:rpm/suse/cacti-spine&distro=SUSE%20Package%20Hub%2015%20SP4pkg:rpm/suse/cacti-spine&distro=SUSE%20Package%20Hub%2015%20SP5
< 1.2.25-bp155.2.3.1+ 10 more
- (no CPE)range: < 1.2.25-bp155.2.3.1
- (no CPE)range: < 1.2.25-bp155.2.3.1
- (no CPE)range: < 1.2.25-2.1
- (no CPE)range: < 1.2.25-bp155.2.3.1
- (no CPE)range: < 1.2.25-bp155.2.3.1
- (no CPE)range: < 1.2.25-bp155.2.3.1
- (no CPE)range: < 1.2.25-bp155.2.3.1
- (no CPE)range: < 1.2.25-bp155.2.3.1
- (no CPE)range: < 1.2.25-bp155.2.3.1
- (no CPE)range: < 1.2.25-bp155.2.3.1
- (no CPE)range: < 1.2.25-bp155.2.3.1
Patches
Vulnerability mechanics
Root cause
"Missing HTML escaping of the data-query template path when rendered in the verbose debug log on host.php."
Attack vector
An attacker with the **Template Editor > Data Queries** privilege can craft a data-query template whose `xml_path` contains a JavaScript payload (e.g., `<script>alert(...)</script>`). When a victim with **General Administration > Sites/Devices/Data** privilege visits a URL such as `host.php?action=query_verbose&id=<ID>&host_id=<HOST_ID>&nostate=true`, the unsanitized path is rendered in the debug log output, executing the attacker's script in the victim's browser [ref_id=1].
Affected code
The vulnerability resides in `host.php` at line 873, where the output of `debug_log_return('data_query')` is rendered inside a `<span>` element without any HTML escaping. This allows stored malicious script content to be injected into the page when a verbose data query is viewed.
What the fix does
The advisory recommends escaping HTML entities before rendering user-supplied data or converting the output to a plain-text element, so that any embedded `<script>` tags are treated as text rather than executable code. The patch (version 1.2.25) applies proper HTML escaping to the `debug_log_return()` output, preventing stored XSS.
Preconditions
- authAttacker must have the 'Template Editor > Data Queries' permission to create or edit a data-query template.
- authVictim must have the 'General Administration > Sites/Devices/Data' permission to view verbose data queries.
- configThe crafted data-query template must be linked to a device so that the malicious path is rendered in the verbose log.
Generated on Jun 15, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- github.com/Cacti/cacti/security/advisories/GHSA-9fj7-8f2j-2rw2mitrex_refsource_CONFIRM
- lists.debian.org/debian-lts-announce/2024/03/msg00018.htmlmitre
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CFH3J2WVBKY4ZJNMARVOWJQK6PSLPHFH/mitre
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WOQFYGLZBAWT4AWNMO7DU73QXWPXTCKH/mitre
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WZGB2UXJEUYWWA6IWVFQ3ZTP22FIHMGN/mitre
- www.debian.org/security/2023/dsa-5550mitre
News mentions
0No linked articles in our index yet.