CVE-2024-29894 – CVE-2024-29894 is a residual cross-site scripti... (How to Fix)

Q: What is the severity of CVE-2024-29894?

CVE-2024-29894 has a CVSS score of 5.4 (MEDIUM). CVE-2024-29894 is a residual cross-site scripting (XSS) vulnerability in Cacti monitoring software that allows attackers to inject malicious JavaScript via unescaped PHP variables. This could enable impersonation of authenticated users to make unauthorized configuration changes. All Cacti installations prior to version 1.2.27 are affected.

📋 TL;DR

CVE-2024-29894 is a residual cross-site scripting (XSS) vulnerability in Cacti monitoring software that allows attackers to inject malicious JavaScript via unescaped PHP variables. This could enable impersonation of authenticated users to make unauthorized configuration changes. All Cacti installations prior to version 1.2.27 are affected.

💻 Affected Systems

Products:

Cacti

Versions: All versions prior to 1.2.27

Operating Systems: All platforms running Cacti

Default Config Vulnerable: ⚠️ Yes

Notes: All Cacti installations are vulnerable regardless of configuration. The vulnerability exists in the core framework.

📦 What is this software?

Cacti by Cacti

View all CVEs affecting Cacti →

Fedora by Fedoraproject

View all CVEs affecting Fedora →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could hijack administrative sessions to modify system configurations, disable monitoring, or pivot to other systems in the network.

🟠

Likely Case

Attackers could steal session cookies, perform actions as authenticated users, or modify limited settings within Cacti.

🟢

If Mitigated

With proper input validation and output encoding, the risk is reduced to minimal impact on system integrity.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires the attacker to have some level of access to inject malicious content into the vulnerable parameters.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.2.27

Vendor Advisory: https://github.com/Cacti/cacti/security/advisories/GHSA-grj5-8fcj-34gh

Restart Required: No

Instructions:

1. Backup your Cacti database and configuration files. 2. Download Cacti 1.2.27 from the official repository. 3. Replace existing files with the new version. 4. Run the database upgrade script if prompted. 5. Verify the installation is functioning correctly.

🔧 Temporary Workarounds

Input Validation Filter

all

Implement custom input validation to sanitize $title and $header variables before processing

# Add custom validation in lib/functions.php before raise_message_javascript function

🧯 If You Can't Patch

Implement a web application firewall (WAF) with XSS protection rules
Restrict access to Cacti interface to trusted IP addresses only

🔍 How to Verify

Check if Vulnerable:

Check Cacti version via web interface or by examining the version.php file

Check Version:

grep '\$version' include/global.php | head -1

Verify Fix Applied:

Verify the version is 1.2.27 or higher and check that the raise_message_javascript function properly escapes variables

📡 Detection & Monitoring

Log Indicators:

Unusual JavaScript injection attempts in web server logs
Multiple failed authentication attempts followed by successful login from same IP

Network Indicators:

Suspicious JavaScript payloads in HTTP requests to Cacti endpoints

SIEM Query:

source="web_server_logs" AND (url="*cacti*" AND (message="*<script>*" OR message="*javascript:*" OR message="*onerror=*"))

📊 Metadata

CVE ID: CVE-2024-29894

CVSS v3 Score: 5.4 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L

CWE: CWE-79

Published: May 14, 2024

Last Updated: December 18, 2024

🔗 References

https://github.com/Cacti/cacti/security/advisories/GHSA-grj5-8fcj-34gh Exploit,Vendor Advisory
https://github.com/Cacti/cacti/security/advisories/GHSA-xwqc-7jc4-xm73 Exploit,Vendor Advisory
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RBEOAFKRARQHTDIYSL723XAFJ2Q6624X/ Product
https://github.com/Cacti/cacti/security/advisories/GHSA-grj5-8fcj-34gh Exploit,Vendor Advisory
https://github.com/Cacti/cacti/security/advisories/GHSA-xwqc-7jc4-xm73 Exploit,Vendor Advisory
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RBEOAFKRARQHTDIYSL723XAFJ2Q6624X/ Product

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-29894, you might also want to check these: