Stored Cross-Site-Scripting on data_sources.php debug html-block in Cacti
Description
Cacti is an open source operational monitoring and fault management framework. Affected versions are subject to a Stored Cross-Site-Scripting (XSS) Vulnerability which allows an authenticated user to poison data stored in the _cacti_'s database. These data will be viewed by administrative _cacti_ accounts and execute JavaScript code in the victim's browser at view-time. The script under data_sources.php displays the data source management information (e.g. data source path, polling configuration etc.) for different data visualizations of the _cacti_ app. CENSUS found that an adversary that is able to configure a malicious data-source path, can deploy a stored XSS attack against any user of the same (or broader) privileges. A user that possesses the 'General Administration>Sites/Devices/Data' permissions can configure the data source path in Cacti. This configuration occurs through http:///cacti/data_sources.php. The same page can be used for previewing the data source path. This issue has been addressed in version 1.2.25. Users are advised to upgrade. Users unable to upgrade should manually escape HTML output.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
13<1.2.25+ 1 more
- (no CPE)range: <1.2.25
- (no CPE)range: < 1.2.25
- osv-coords11 versionspkg:rpm/opensuse/cacti&distro=openSUSE%20Leap%2015.4pkg:rpm/opensuse/cacti&distro=openSUSE%20Leap%2015.5pkg:rpm/opensuse/cacti&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/cacti-spine&distro=openSUSE%20Leap%2015.4pkg:rpm/opensuse/cacti-spine&distro=openSUSE%20Leap%2015.5pkg:rpm/suse/cacti&distro=SUSE%20Package%20Hub%2012pkg:rpm/suse/cacti&distro=SUSE%20Package%20Hub%2015%20SP4pkg:rpm/suse/cacti&distro=SUSE%20Package%20Hub%2015%20SP5pkg:rpm/suse/cacti-spine&distro=SUSE%20Package%20Hub%2012pkg:rpm/suse/cacti-spine&distro=SUSE%20Package%20Hub%2015%20SP4pkg:rpm/suse/cacti-spine&distro=SUSE%20Package%20Hub%2015%20SP5
< 1.2.25-bp155.2.3.1+ 10 more
- (no CPE)range: < 1.2.25-bp155.2.3.1
- (no CPE)range: < 1.2.25-bp155.2.3.1
- (no CPE)range: < 1.2.25-2.1
- (no CPE)range: < 1.2.25-bp155.2.3.1
- (no CPE)range: < 1.2.25-bp155.2.3.1
- (no CPE)range: < 1.2.25-bp155.2.3.1
- (no CPE)range: < 1.2.25-bp155.2.3.1
- (no CPE)range: < 1.2.25-bp155.2.3.1
- (no CPE)range: < 1.2.25-bp155.2.3.1
- (no CPE)range: < 1.2.25-bp155.2.3.1
- (no CPE)range: < 1.2.25-bp155.2.3.1
Patches
Vulnerability mechanics
Root cause
"The output of `@rrdtool_function_create()` in `data_sources.php` is rendered as raw HTML inside a `<pre>` block without escaping, allowing a stored XSS payload in the data-source path to execute in the victim's browser."
Attack vector
An authenticated attacker with 'General Administration > Sites/Devices/Data' permissions POSTs a malicious `data_source_path` parameter to `data_sources.php?action=save`, embedding JavaScript inside the path (e.g. `<img src=x onerror=alert(1)>`). Any user who subsequently views that data source with `debug=1` on `data_sources.php?action=ds_edit&id=X&debug=1` will have the stored payload rendered raw in the debug `<pre>` block, causing the script to execute in the victim's browser. This is a Stored XSS attack [CWE-79] [ref_id=1].
Affected code
The vulnerability resides in `data_sources.php` at line 1166, where the output of `@rrdtool_function_create(get_request_var('id'), true)` is inserted as raw HTML inside a `<pre>` block without escaping. The advisory identifies that the same page is used for both configuring and previewing the data-source path, making it possible for a malicious path to be stored and later rendered unsanitized.
What the fix does
The fix (since version 1.2.25) requires that user-supplied data rendered in the debug output be HTML-escaped before it is included in the page. The advisory recommends either making the debug output a text-only element or escaping the content with HTML entities so that any injected script tags or event handlers are displayed as literal text rather than executed. No patch diff is shown in the bundle, but the remediation guidance is clear.
Preconditions
- authAttacker must be an authenticated Cacti user with the 'General Administration > Sites/Devices/Data' permission
- inputVictim must access the crafted data source's edit page with debug mode enabled (e.g. ?action=ds_edit&id=X&debug=1)
Generated on Jun 15, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- github.com/Cacti/cacti/security/advisories/GHSA-r8qq-88g3-hmgvmitrex_refsource_CONFIRM
- lists.debian.org/debian-lts-announce/2024/03/msg00018.htmlmitre
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CFH3J2WVBKY4ZJNMARVOWJQK6PSLPHFH/mitre
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WOQFYGLZBAWT4AWNMO7DU73QXWPXTCKH/mitre
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WZGB2UXJEUYWWA6IWVFQ3ZTP22FIHMGN/mitre
- www.debian.org/security/2023/dsa-5550mitre
News mentions
0No linked articles in our index yet.