Cacti is vulnerable to cross-Site scripting (XSS) DOM
Description
Cacti is a robust performance and fault management framework and a frontend to RRDTool - a Time Series Database (TSDB). A vulnerability in versions prior to 1.2.27 bypasses an earlier fix for CVE-2023-39360, therefore leading to a DOM XSS attack. Exploitation of the vulnerability is possible for an authorized user. The vulnerable component is the graphs_new.php. The impact of the vulnerability is execution of arbitrary JavaScript code in the attacked user's browser. This issue has been patched in version 1.2.27.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
9<1.2.27+ 1 more
- (no CPE)range: <1.2.27
- (no CPE)range: < 1.2.27
- osv-coords7 versionspkg:rpm/opensuse/cacti&distro=openSUSE%20Leap%2015.5pkg:rpm/opensuse/cacti&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/cacti-spine&distro=openSUSE%20Leap%2015.5pkg:rpm/suse/cacti&distro=SUSE%20Package%20Hub%2012pkg:rpm/suse/cacti&distro=SUSE%20Package%20Hub%2015%20SP5pkg:rpm/suse/cacti-spine&distro=SUSE%20Package%20Hub%2012pkg:rpm/suse/cacti-spine&distro=SUSE%20Package%20Hub%2015%20SP5
< 1.2.26-bp155.2.6.1+ 6 more
- (no CPE)range: < 1.2.26-bp155.2.6.1
- (no CPE)range: < 1.2.26-1.1
- (no CPE)range: < 1.2.26-bp155.2.6.1
- (no CPE)range: < 1.2.26-bp155.2.6.1
- (no CPE)range: < 1.2.26-bp155.2.6.1
- (no CPE)range: < 1.2.26-bp155.2.6.1
- (no CPE)range: < 1.2.26-bp155.2.6.1
Patches
Vulnerability mechanics
Root cause
"The `returnto` parameter in `graphs_new.php` is not validated against the server's hostname before being passed to `loadPageNoHeader`, which unsafely inserts the response via `.html()`, allowing DOM-based XSS."
Attack vector
An authorized attacker crafts a link with a malicious `returnto` parameter pointing to an attacker-controlled server (e.g., `//attacker-server/index.php?//host.php`). The payload avoids filtered special characters like `"`, `'`, `(`, `)`, `<`, `>`. When the victim clicks the link and then clicks the "Cancel" button, the `cactiReturnTo` function passes the unsanitized URL to `loadPageNoHeader`, which makes an AJAX request and inserts the response via the `.html()` function, executing arbitrary JavaScript in the victim's browser [ref_id=1].
Affected code
The vulnerable component is `graphs_new.php`. The `cactiReturnTo` function calls `loadPageNoHeader` with a user-controlled `returnto` parameter, and `loadPageNoHeader` uses the unsanitized `.html()` function, leading to DOM XSS [ref_id=1]. The patch modifies the `saveFilter()` function in `graphs_new.php` to validate the `returnto` parameter against the server's hostname [ref_id=2].
What the fix does
The patch in `graphs_new.php` adds hostname validation for the `returnto` parameter. It parses the `HTTP_REFERER` and the `returnto` parameter using `parse_url()`, and if the host does not match `$_SERVER['SERVER_NAME']`, it resets `returnto` to the safe default `'host.php'` [ref_id=2]. This prevents an attacker from injecting an external URL that would be passed to `loadPageNoHeader` and rendered unsanitized via `.html()`.
Preconditions
- authThe attacker must be an authorized user of the Cacti instance.
- inputThe victim must click a crafted link and then click the 'Cancel' button on the graphs_new.php page.
Generated on Jun 14, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
3- github.com/Cacti/cacti/commit/6ec01c8b2983bf4fcb86f8c647655f74090b5be9mitrex_refsource_MISC
- github.com/Cacti/cacti/security/advisories/GHSA-wc73-r2vw-59prmitrex_refsource_CONFIRM
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RBEOAFKRARQHTDIYSL723XAFJ2Q6624X/mitre
News mentions
0No linked articles in our index yet.