CVE-2023-39360— Cacti 跨站脚本漏洞
新しい脆弱性情報の通知を購読するログインして購読
I. CVE-2023-39360の基本情報
脆弱性情報
脆弱性についてご質問がありますか?Shenlongの分析が参考になるかご確認ください!
Shenlongの10の質問を表示 ↗ 高度な大規模言語モデル技術を使用していますが、出力には不正確または古い情報が含まれる可能性があります。Shenlongはデータの正確性を確保するよう努めていますが、実際の状況に基づいて検証・判断してください。
脆弱性タイトル
Reflected Cross-site Scripting in graphs_new.php in Cacti
ソース: NVD (National Vulnerability Database)
脆弱性説明
Cacti is an open source operational monitoring and fault management framework.Affected versions are subject to a Stored Cross-Site-Scripting (XSS) Vulnerability allows an authenticated user to poison data. The vulnerability is found in `graphs_new.php`. Several validations are performed, but the `returnto` parameter is directly passed to `form_save_button`. In order to bypass this validation, returnto must contain `host.php`. This vulnerability has been addressed in version 1.2.25. Users are advised to upgrade. Users unable to update should manually filter HTML output.
ソース: NVD (National Vulnerability Database)
CVSS情報
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
ソース: NVD (National Vulnerability Database)
脆弱性タイプ
在Web页面生成时对输入的转义处理不恰当(跨站脚本)
ソース: NVD (National Vulnerability Database)
脆弱性タイトル
Cacti 跨站脚本漏洞
ソース: CNNVD (China National Vulnerability Database)
脆弱性説明
Cacti是Cacti团队的一套开源的网络流量监测和分析工具。该工具通过snmpget来获取数据,使用RRDtool绘画图形进行分析,并提供数据和用户管理功能。 Cacti 存在跨站脚本漏洞,该漏洞源于returnto参数直接传递给了form_save_button。
ソース: CNNVD (China National Vulnerability Database)
CVSS情報
N/A
ソース: CNNVD (China National Vulnerability Database)
脆弱性タイプ
N/A
ソース: CNNVD (China National Vulnerability Database)
影響を受ける製品
II. CVE-2023-39360の公開POC
| # | POC説明 | ソースリンク | Shenlongリンク |
|---|
AI生成POCプレミアム
公開POCは見つかりませんでした。
ログインしてAI POCを生成III. CVE-2023-39360のインテリジェンス情報
请登录查看更多情报信息。
- https://github.com/Cacti/cacti/security/advisories/GHSA-gx8c-xvjh-9qh4x_refsource_CONFIRM
- https://nvd.nist.gov/vuln/detail/CVE-2023-39360
Same Patch Batch · Cacti · 2023-09-05 · 17 CVEs total
| CVE-2023-39361 | 9.8 CRITICAL | Unauthenticated SQL Injection in graph_view.php in Cacti |
| CVE-2023-39359 | 8.8 HIGH | Authenticated SQL injection vulnerability in graphs.php in Cacti |
| CVE-2023-39358 | 8.8 HIGH | Authenticated SQL injection vulnerability in reports_user.php in Cacti |
| CVE-2023-39357 | 8.8 HIGH | A Defect in sql_save() Causes Multiple SQL Injection Vulnerabilities in Cacti |
| CVE-2023-31132 | 7.8 HIGH | Cacti Privilege Escalation |
| CVE-2023-39362 | 7.2 HIGH | Authenticated command injection in SNMP options of a Device |
| CVE-2023-39515 | 6.1 MEDIUM | Stored Cross-site Scripting on data_debug.php datasource path view in Cacti |
| CVE-2023-39514 | 6.1 MEDIUM | Stored Cross-site Scripting on graphs.php data template formated name view in Cacti |
| CVE-2023-39513 | 6.1 MEDIUM | Stored Cross-site Scripting on host.php verbose data-query debug view in Cacti |
| CVE-2023-39512 | 6.1 MEDIUM | Stored Cross-site Scripting on data_sources.php device name view in Cacti |
| CVE-2023-39510 | 6.1 MEDIUM | Stored Cross-site Scripting in reports_admin.php through Device-Name in 'select' input in |
| CVE-2023-39366 | 6.1 MEDIUM | Stored Cross-site Scripting in data_sources.php through Device-Name in 'select' input in C |
| CVE-2023-39516 | 6.1 MEDIUM | Stored Cross-Site-Scripting on data_sources.php debug html-block in Cacti |
| CVE-2023-39365 | 4.6 MEDIUM | Unchecked regular expressions can lead to SQL Injection and data leakage in Cacti |
| CVE-2023-30534 | 4.3 MEDIUM | Insecure Deserialization in Cacti |
| CVE-2023-39364 | 3.5 LOW | Open redirect in change password functionality in Cacti |
IV. 関連脆弱性
同じ製品: cacti
同じベンダー: Cacti
同じ弱点: CWE-79
- CVE-2026-8262
Devs Palace ERP Online chart-save cross site scripting - CVE-2026-8256
Devs Palace ERP Online mr-save cross site scripting - CVE-2026-8255
Devs Palace ERP Online add_new_customer cross site scripting - CVE-2026-8254
Devs Palace ERP Online sales_save cross site scripting - CVE-2026-8253
Devs Palace ERP Online purchase_save cross site scripting
V. CVE-2023-39360へのコメント
まだコメントはありません