CVE-2023-49086

Name
CVE-2023-49086
Description
Cacti is a robust performance and fault management framework and a frontend to RRDTool - a Time Series Database (TSDB). A vulnerability in versions prior to 1.2.27 bypasses an earlier fix for CVE-2023-39360, therefore leading to a DOM XSS attack. Exploitation of the vulnerability is possible for an authorized user. The vulnerable component is the `graphs_new.php`. The impact of the vulnerability is execution of arbitrary JavaScript code in the attacked user's browser. This issue has been patched in version 1.2.27.
NVD Severity
unknown
Other trackers
CVE, NVD, CERT, CVE Details, CIRCL, Arch Linux, Debian, Red Hat, Ubuntu, Gentoo, SUSE (Bugzilla), SUSE (CVE), Mageia
Mailing lists
oss-security, full-disclosure, bugtraq
Exploits
Exploit DB, Metasploit
Forges
GitHub (code, issues), Aports (code, issues)

References

Type URI
security-advisories@github.com https://github.com/Cacti/cacti/security/advisories/GHSA-wc73-r2vw-59pr
security-advisories@github.com https://lists.debian.org/debian-lts-announce/2024/03/msg00018.html
security-advisories@github.com https://github.com/Cacti/cacti/commit/6ec01c8b2983bf4fcb86f8c647655f74090b5be9
security-advisories@github.com https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RBEOAFKRARQHTDIYSL723XAFJ2Q6624X/

Match rules

CPE URI Source package Min version Max version
cpe:2.3:a:cacti:cacti:1.2.25:*:*:*:*:*:*:* cacti == None == 1.2.25

Vulnerable and fixed packages

Source package Branch Version Maintainer Status
cacti edge-community 1.2.26-r0 Jeff Bilyk <jbilyk@gmail.com> fixed
cacti edge-community 1.2.25-r0 Jeff Bilyk <jbilyk@gmail.com> possibly vulnerable
cacti 3.22-community 1.2.26-r0 None fixed
cacti 3.22-community 1.2.25-r0 None possibly vulnerable
cacti 3.21-community 1.2.26-r0 None fixed
cacti 3.20-community 1.2.26-r0 None fixed
cacti 3.19-community 1.2.26-r0 Jeff Bilyk <jbilyk@gmail.com> fixed
cacti 3.19-community 1.2.25-r0 Jeff Bilyk <jbilyk@gmail.com> possibly vulnerable