CVE-2023-50250

See a problem?

Source

https://nvd.nist.gov/vuln/detail/CVE-2023-50250

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-50250.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2023-50250

Aliases

CVE-2024-29894
GHSA-grj5-8fcj-34gh
GHSA-xwqc-7jc4-xm73

Related

Published

2023-12-22T17:15:09Z

Modified

2024-09-18T03:26:51.648119Z

Severity

6.1 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVSS Calculator

Summary

[none]

Details

Cacti is an open source operational monitoring and fault management framework. A reflection cross-site scripting vulnerability was discovered in version 1.2.25. Attackers can exploit this vulnerability to perform actions on behalf of other users. The vulnerability is found in templates_import.php. When uploading an xml template file, if the XML file does not pass the check, the server will give a JavaScript pop-up prompt, which contains unfiltered xml template file name, resulting in XSS. An attacker exploiting this vulnerability could execute actions on behalf of other users. This ability to impersonate users could lead to unauthorized changes to settings. As of time of publication, no patched versions are available.

References

Affected packages

Debian:12 / cacti

Package

Name: cacti
Purl: pkg:deb/debian/cacti?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.2.24+ds1-1+deb12u2

Affected versions

1.*

1.2.24+ds1-1

1.2.24+ds1-1+deb12u1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:13 / cacti

Package

Name: cacti
Purl: pkg:deb/debian/cacti?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.2.26+ds1-1

Affected versions

1.*

1.2.24+ds1-1

1.2.25+ds1-1

1.2.25+ds1-2

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Git / github.com/cacti/cacti

Affected ranges

Type: GIT
Repo: https://github.com/cacti/cacti
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Last affected

18500fa313a9f1ee1be48aa111c0eeea001010fa

Affected versions

releaes/1.*

releaes/1.2.19

release/1.*

release/1.0.0

release/1.0.1

release/1.0.2

release/1.0.3

release/1.0.4

release/1.0.5

release/1.0.6

release/1.1.0

release/1.1.1

release/1.1.11

release/1.1.12

release/1.1.13

release/1.1.14

release/1.1.15

release/1.1.16

release/1.1.17

release/1.1.18

release/1.1.19

release/1.1.2

release/1.1.20

release/1.1.21

release/1.1.22

release/1.1.23

release/1.1.24

release/1.1.25

release/1.1.26

release/1.1.27

release/1.1.28

release/1.1.29

release/1.1.3

release/1.1.30

release/1.1.31

release/1.1.32

release/1.1.33

release/1.1.34

release/1.1.35

release/1.1.36

release/1.1.37

release/1.1.38

release/1.1.4

release/1.1.5

release/1.1.6

release/1.1.7

release/1.1.8

release/1.2.0

release/1.2.0-beta1

release/1.2.0-beta2

release/1.2.0-beta3

release/1.2.0-beta4

release/1.2.1

release/1.2.10

release/1.2.11

release/1.2.12

release/1.2.13

release/1.2.14

release/1.2.15

release/1.2.16

release/1.2.17

release/1.2.18

release/1.2.19

release/1.2.2

release/1.2.20

release/1.2.21

release/1.2.22

release/1.2.23

release/1.2.24

release/1.2.25

release/1.2.3

release/1.2.4

release/1.2.5

release/1.2.6

release/1.2.7

release/1.2.8

release/1.2.9