Cacti has incomplete fix for CVE-2023-39515

An authenticated attacker with **General Administration>Sites/Devices/Data** privileges sends a POST request to `data_sources.php` containing a malicious `data_source_path` parameter (e.g. an `<img>` tag with an `onerror` handler). This payload is stored in the database. When a victim who can view `data_debug.php` navigates to that page and hovers over the poisoned data source path, the browser renders the malicious HTML/JavaScript because the tooltip content is taken directly from the `title` attribute without sanitization [ref_id=1][ref_id=2]. The attack is a stored cross-site scripting (XSS) that executes in the victim's browser upon mouse hover.

The advisory states that the fix applied for CVE-2023-39515 in version 1.2.25 was incomplete [ref_id=1]. Although HTML encoding was added for the `title` attribute and the displayed value, the `title` attribute is passed to jQuery UI's tooltip via a custom `content` function that returns `$(this).prop('title')` unmodified. Because the browser decodes HTML entities when the attribute is read, the decoded payload becomes executable HTML when jQuery UI calls `.html(content)` on the tooltip element [ref_id=1]. The recommended remediation is to avoid using HTML content in tooltips or to sanitize the `title` value with a library like HTML Purifier before passing it to the tooltip [ref_id=1]. No complete fix has been included in Cacti as of the time of publication.