{ "id": "CVE-2024-43362", "sourceIdentifier": "security-advisories@github.com", "published": "2024-10-07T21:15:15.470", "lastModified": "2024-10-07T21:15:15.470", "vulnStatus": "Received", "cveTags": [], "descriptions": [ { "lang": "en", "value": "Cacti is an open source performance and fault management framework. The `fileurl` parameter is not properly sanitized when saving external links in `links.php` . Morever, the said fileurl is placed in some html code which is passed to the `print` function in `link.php` and `index.php`, finally leading to stored XSS. Users with the privilege to create external links can manipulate the `fileurl` parameter in the http post request while creating external links to perform stored XSS attacks. The vulnerability known as XSS (Cross-Site Scripting) occurs when an application allows untrusted user input to be displayed on a web page without proper validation or escaping. This issue has been addressed in release version 1.2.28. All users are advised to upgrade. There are no known workarounds for this issue." } ], "metrics": { "cvssMetricV31": [ { "source": "security-advisories@github.com", "type": "Secondary", "cvssData": { "version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:H", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "HIGH", "baseScore": 7.3, "baseSeverity": "HIGH" }, "exploitabilityScore": 2.1, "impactScore": 5.2 } ] }, "weaknesses": [ { "source": "security-advisories@github.com", "type": "Primary", "description": [ { "lang": "en", "value": "CWE-79" } ] } ], "references": [ { "url": "https://github.com/Cacti/cacti/security/advisories/GHSA-wh9c-v56x-v77c", "source": "security-advisories@github.com" } ] }