CVE-2023-39360

Summary

CVE-2023-39360 is a stored Cross-Site-Scripting (XSS) vulnerability affecting versions of Cacti, an open-source operational monitoring framework. The issue lies in the `graphs_new.php` file where the 'returnto' parameter is directly passed to `form_save_button` without proper validation. An authenticated user can exploit this vulnerability by crafting malicious input containing 'host.php' to poison data. The vulnerability is mitigated in version 1.2.25. Users are strongly advised to upgrade, or, as an interim measure, manually filter HTML output.

Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.