Fluid Attacks Database

Description

Cacti provides an operational monitoring and fault management framework. Prior to 1.2.27, some of the data stored in form_save() function in data_queries.php is not thoroughly checked and is used to concatenate the HTML statement in grow_right_pane_tree() function from lib/html.php , finally resulting in cross-site scripting. Version 1.2.27 contains a patch for the issue.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
debian 11	cacti	=1.2.16+ds1-2 \|\| =1.2.16+ds1-2+deb11u1 \|\| =1.2.16+ds1-2+deb11u2 \|\| =1.2.16+ds1-2+deb11u3 \|\| >=0 <1.2.16+ds1-2+deb11u4	1.2.16+ds1-2+deb11u4
debian 12	cacti	=1.2.24+ds1-1 \|\| =1.2.24+ds1-1+deb12u1 \|\| =1.2.24+ds1-1+deb12u2 \|\| >=0 <1.2.24+ds1-1+deb12u3	1.2.24+ds1-1+deb12u3
debian 13	cacti	>=0 <1.2.27+ds1-1	1.2.27+ds1-1
debian 14	cacti	>=0 <1.2.27+ds1-1	1.2.27+ds1-1

Aliases

1. CVE-2024-314432. NVD-2024-314433. OSV-DEBIAN-2024-314434. OSV-2024-314435. SECURITY-TRACKER-CVE-2024-31443