Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2022-48547: Bypass output validation in select cases · Issue #1882 · Cacti/cacti

A reflected cross-site scripting (XSS) vulnerability in Cacti 0.8.7g and earlier allows unauthenticated remote attackers to inject arbitrary web script or HTML in the “ref” parameter at auth_changepassword.php.

CVE
Open in Source
#xss#vulnerability#web#php#auth

v1.1.38 Stored XSS in user_admin.php

When creating a new user on /cacti/user_admin.php, using the “copy” method, it is possible to bypass user input validation. This allows for the creation of a user called <script>alert(1)</script>.

This username just meets the max characters allowed. However, this restriction can be circumvented to allow for longer usernames/XSS payloads by using a web application proxy and editing the request before it is sent to the server.

The stored XSS payload can be executed by clicking in the user’s profile and visiting the “General”, “Permissions”, or “User Settings” tabs.

http://127.0.0.1/cacti/user_admin.php?action=user_edit&id=[#}&tab=general
http://127.0.0.1/cacti/user_admin.php?action=user_edit&id=[#]&tab=realms
http://127.0.0.1/cacti/user_admin.php?action=user_edit&id=[#]&tab=settings

v1.1.38 Bypass Input Validation in user_group_admin.php

The same vulnerability, of using the “copy” approach to bypass input validation, exists on the user_group_admin.php page. However, I was unable to use the web application proxy trick to extend the field name.

When trying to go back and delete this, I ran into some issues that required me to manually go into the database and remove the group from the “user_auth_group” table.

EDIT - As a PoC I was able to use this for htlm injection, by creating the group <h1>test</h1>. However, the code only rendered when going back to delete the account:

Side-Note: <=0.8.7g Reflected XSS in auth_changepassword.php

I started looking into Cacti after I ran into version 0.8.7g for a customer. There were several reflected xss vulnerabilities after authentication, but I came across this one in auth_changepassword.php that I did not see very well documented (I could be wrong about that).

/auth_changepassword.php?ref=%22%3E%3Cscript%3Ealert(document.domain)%3C/script%3E

Looking at the code itself I saw a hidden parameter that does not validate user input. This code was modified in the later versions 0.8.7.h+.

-m8r0wn

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE
CVE-2023-6905
CVE
CVE-2023-6903
CVE
CVE-2023-6904
CVE
CVE-2023-3907
CVE