CVE-2024-31443

2024-05-1415:25:20

Google

osv.dev

cacti

operational monitoring

fault management

data queries

html

cross-site scripting

vulnerability

5.7 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H

6.1 Medium

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

15.8%

JSON

Cacti provides an operational monitoring and fault management framework. Prior to 1.2.27, some of the data stored in form_save() function in data_queries.php is not thoroughly checked and is used to concatenate the HTML statement in grow_right_pane_tree() function from lib/html.php , finally resulting in cross-site scripting. Version 1.2.27 contains a patch for the issue.

CPENameOperatorVersion
cactieqrelease/1.1.13
cactieqrelease/1.1.4
cactieqrelease/1.2.3
cactieqrelease/1.1.38
cactieqrelease/1.2.11
cactieqrelease/1.2.13
cactieqrelease/1.1.5
cactieqrelease/1.1.34
cactieqrelease/1.2.21
cactieqrelease/1.1.37

Name	Operator	Version
cacti	eq	release/1.1.13
cacti	eq	release/1.1.4
cacti	eq	release/1.2.3
cacti	eq	release/1.1.38
cacti	eq	release/1.2.11
cacti	eq	release/1.2.13
cacti	eq	release/1.1.5
cacti	eq	release/1.1.34
cacti	eq	release/1.2.21
cacti	eq	release/1.1.37