Fluid Attacks Database

Description

Cacti provides an operational monitoring and fault management framework. Prior to version 1.2.27, some of the data stored in automation_tree_rules_form_save() function in automation_tree_rules.php is not thoroughly checked and is used to concatenate the HTML statement in form_confirm() function from lib/html.php , finally resulting in cross-site scripting. Version 1.2.27 contains a patch for the issue.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
debian 12	cacti	=1.2.24+ds1-1 \|\| =1.2.24+ds1-1+deb12u1 \|\| =1.2.24+ds1-1+deb12u2 \|\| >=0 <1.2.24+ds1-1+deb12u3	1.2.24+ds1-1+deb12u3
debian 11	cacti	=1.2.16+ds1-2 \|\| =1.2.16+ds1-2+deb11u1 \|\| =1.2.16+ds1-2+deb11u2 \|\| =1.2.16+ds1-2+deb11u3 \|\| >=0 <1.2.16+ds1-2+deb11u4	1.2.16+ds1-2+deb11u4
debian 13	cacti	>=0 <1.2.27+ds1-1	1.2.27+ds1-1
debian 14	cacti	>=0 <1.2.27+ds1-1	1.2.27+ds1-1

Aliases

1. CVE-2024-314442. NVD-2024-314443. OSV-DEBIAN-2024-314444. OSV-2024-314445. SECURITY-TRACKER-CVE-2024-31444