Stored Cross-site Scripting on data_debug.php datasource path view in Cacti
Description
Cacti is an open source operational monitoring and fault management framework. Affected versions are subject to a Stored Cross-Site-Scripting (XSS) Vulnerability allows an authenticated user to poison data stored in the cacti's database. These data will be viewed by administrative cacti accounts and execute JavaScript code in the victim's browser at view-time. The script under data_debug.php displays data source related debugging information such as _data source paths, polling settings, meta-data on the data source_. _CENSUS_ found that an adversary that is able to configure a malicious data-source path, can deploy a stored XSS attack against any user that has privileges related to viewing the data_debug.php information. A user that possesses the _General Administration>Sites/Devices/Data_ permissions can configure the data source path in _cacti_. This configuration occurs through http:///cacti/data_sources.php. This vulnerability has been addressed in version 1.2.25. Users are advised to upgrade. Users unable to update should manually filter HTML output.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
13>=1.0 <1.2.25+ 1 more
- (no CPE)range: >=1.0 <1.2.25
- (no CPE)range: < 1.2.25
- osv-coords11 versionspkg:rpm/opensuse/cacti&distro=openSUSE%20Leap%2015.4pkg:rpm/opensuse/cacti&distro=openSUSE%20Leap%2015.5pkg:rpm/opensuse/cacti&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/cacti-spine&distro=openSUSE%20Leap%2015.4pkg:rpm/opensuse/cacti-spine&distro=openSUSE%20Leap%2015.5pkg:rpm/suse/cacti&distro=SUSE%20Package%20Hub%2012pkg:rpm/suse/cacti&distro=SUSE%20Package%20Hub%2015%20SP4pkg:rpm/suse/cacti&distro=SUSE%20Package%20Hub%2015%20SP5pkg:rpm/suse/cacti-spine&distro=SUSE%20Package%20Hub%2012pkg:rpm/suse/cacti-spine&distro=SUSE%20Package%20Hub%2015%20SP4pkg:rpm/suse/cacti-spine&distro=SUSE%20Package%20Hub%2015%20SP5
< 1.2.25-bp155.2.3.1+ 10 more
- (no CPE)range: < 1.2.25-bp155.2.3.1
- (no CPE)range: < 1.2.25-bp155.2.3.1
- (no CPE)range: < 1.2.25-2.1
- (no CPE)range: < 1.2.25-bp155.2.3.1
- (no CPE)range: < 1.2.25-bp155.2.3.1
- (no CPE)range: < 1.2.25-bp155.2.3.1
- (no CPE)range: < 1.2.25-bp155.2.3.1
- (no CPE)range: < 1.2.25-bp155.2.3.1
- (no CPE)range: < 1.2.25-bp155.2.3.1
- (no CPE)range: < 1.2.25-bp155.2.3.1
- (no CPE)range: < 1.2.25-bp155.2.3.1
Patches
Vulnerability mechanics
Root cause
"Missing HTML escaping of the `$real_path` variable in `data_debug.php` allows stored cross-site scripting."
Attack vector
An authenticated attacker with _General Administration>Sites/Devices/Data_ permissions sets a malicious `data_source_path` containing JavaScript via a POST to `data_sources.php`. Any user who then views the poisoned data source on `data_debug.php` will have the injected script executed in their browser, because the path is rendered unescaped. The attacker only needs to lure a victim with _Troubleshooting>Data Sources_ access to the debug page for that data source.
Affected code
The vulnerability is in `data_debug.php` at line 761, where the variable `$real_path` is rendered without HTML escaping when displaying the _Is RRDfile writeable by poller?_ field [ref_id=1]. The adversary injects the payload by configuring a malicious data-source path through `data_sources.php`.
What the fix does
Although the advisory does not include a patch diff, it recommends escaping the user-supplied `$real_path` value with HTML entities before rendering it in `data_debug.php` so that injected script tags are treated as text rather than executable code. The official fix in version 1.2.25 applies this escaping to the `$real_path` output, preventing stored XSS.
Preconditions
- authThe attacker must be authenticated and hold the 'General Administration>Sites/Devices/Data' permission.
- authThe victim must have privileges to view 'data_debug.php' (Troubleshooting>Data Sources).
- inputThe attacker must submit a crafted data_source_path containing JavaScript via the data_sources.php form.
Generated on Jun 12, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- github.com/Cacti/cacti/security/advisories/GHSA-hrg9-qqqx-wc4hmitrex_refsource_CONFIRM
- lists.debian.org/debian-lts-announce/2024/03/msg00018.htmlmitre
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CFH3J2WVBKY4ZJNMARVOWJQK6PSLPHFH/mitre
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WOQFYGLZBAWT4AWNMO7DU73QXWPXTCKH/mitre
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WZGB2UXJEUYWWA6IWVFQ3ZTP22FIHMGN/mitre
- www.debian.org/security/2023/dsa-5550mitre
News mentions
0No linked articles in our index yet.