Description

Cacti provides an operational monitoring and fault management framework. Versions of Cacti prior to 1.2.27 contain a residual cross-site scripting vulnerability caused by an incomplete fix for CVE-2023-50250. `raise_message_javascript` from `lib/functions.php` now uses purify.js to fix CVE-2023-50250 (among others). However, it still generates the code out of unescaped PHP variables `$title` and `$header`. If those variables contain single quotes, they can be used to inject JavaScript code. An attacker exploiting this vulnerability could execute actions on behalf of other users. This ability to impersonate users could lead to unauthorized changes to settings. Version 1.2.27 fixes this issue.

INFO

Published Date :

2024-05-13T14:24:32.871Z

Last Modified :

2025-02-13T17:47:43.692Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2024-29894 vulnerability.

Vendors Products
Cacti
  • Cacti
Fedoraproject
  • Fedora
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2024-29894.

URL Resource
https://github.com/Cacti/cacti/security/advisories/GHSA-grj5-8fcj-34gh cve-icon cve-icon cve-icon
https://github.com/Cacti/cacti/security/advisories/GHSA-xwqc-7jc4-xm73 cve-icon cve-icon cve-icon
https://lists.fedoraproject.org/archives/list/[email protected]/message/RBEOAFKRARQHTDIYSL723XAFJ2Q6624X/ cve-icon cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact