Cacti Cross-site Scripting vulnerability when using JavaScript based messaging API
Description
Cacti provides an operational monitoring and fault management framework. Versions of Cacti prior to 1.2.27 contain a residual cross-site scripting vulnerability caused by an incomplete fix for CVE-2023-50250. raise_message_javascript from lib/functions.php now uses purify.js to fix CVE-2023-50250 (among others). However, it still generates the code out of unescaped PHP variables $title and $header. If those variables contain single quotes, they can be used to inject JavaScript code. An attacker exploiting this vulnerability could execute actions on behalf of other users. This ability to impersonate users could lead to unauthorized changes to settings. Version 1.2.27 fixes this issue.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
13<1.2.27+ 1 more
- (no CPE)range: <1.2.27
- (no CPE)range: < 1.2.27
- osv-coords11 versionspkg:rpm/opensuse/cacti&distro=openSUSE%20Leap%2015.5pkg:rpm/opensuse/cacti&distro=openSUSE%20Leap%2015.6pkg:rpm/opensuse/cacti&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/cacti-spine&distro=openSUSE%20Leap%2015.5pkg:rpm/opensuse/cacti-spine&distro=openSUSE%20Leap%2015.6pkg:rpm/suse/cacti&distro=SUSE%20Package%20Hub%2012pkg:rpm/suse/cacti&distro=SUSE%20Package%20Hub%2015%20SP5pkg:rpm/suse/cacti&distro=SUSE%20Package%20Hub%2015%20SP6pkg:rpm/suse/cacti-spine&distro=SUSE%20Package%20Hub%2012pkg:rpm/suse/cacti-spine&distro=SUSE%20Package%20Hub%2015%20SP5pkg:rpm/suse/cacti-spine&distro=SUSE%20Package%20Hub%2015%20SP6
< 1.2.27-bp155.2.9.1+ 10 more
- (no CPE)range: < 1.2.27-bp155.2.9.1
- (no CPE)range: < 1.2.27-bp156.2.3.1
- (no CPE)range: < 1.2.27-1.1
- (no CPE)range: < 1.2.27-bp155.2.9.1
- (no CPE)range: < 1.2.27-bp156.2.3.1
- (no CPE)range: < 1.2.27-bp155.2.9.1
- (no CPE)range: < 1.2.27-bp155.2.9.1
- (no CPE)range: < 1.2.27-bp156.2.3.1
- (no CPE)range: < 1.2.27-bp155.2.9.1
- (no CPE)range: < 1.2.27-bp155.2.9.1
- (no CPE)range: < 1.2.27-bp156.2.3.1
Patches
Vulnerability mechanics
Root cause
"The `raise_message_javascript` function generates JavaScript code using unescaped PHP variables, allowing for injection."
Attack vector
An attacker can exploit this vulnerability by uploading a specially crafted XML template file. If the file fails validation, the server will display a JavaScript pop-up containing the unfiltered filename, which can include malicious JavaScript code. This can be achieved by accessing the `templates_import.php` page and uploading a file named `');alert(1);var xx = '.xml` or `');alert(1);('`. [ref_id=1, ref_id=2]
Affected code
The vulnerability resides in the `raise_message_javascript` function located in `lib/functions.php`. This function is responsible for displaying JavaScript messages, and it directly embeds the `$title` and `$header` variables into script tags without proper sanitization. The issue arises when these variables, which can contain user-supplied data like filenames, are not escaped, allowing for script injection. [ref_id=1, ref_id=2]
What the fix does
The fix involves properly sanitizing the `$title` and `$header` variables before they are embedded within the JavaScript code. This is achieved by using `json_encode` to ensure that any special characters, including single quotes, are correctly escaped, preventing them from breaking out of the JavaScript string literals. This prevents the injection of arbitrary JavaScript code. [ref_id=2]
Preconditions
- authThe attacker must be logged into Cacti.
- inputThe attacker must be able to upload a file.
Reproduction
1. Log in to Cacti. 2. Navigate to `http://ip/cacti/templates_import.php`. 3. Prepare an XML file with a malicious name, such as `');alert(1);var xx = '.xml` or `');alert(1);('`.xml. 4. Upload this file.
Generated on Jun 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
3News mentions
0No linked articles in our index yet.