VulnerableCode Vulnerability Details

Staging Environment: Content and features may be unstable or change without notice.

Search for vulnerabilities

Vulnerability details: VCID-du4b-tbxt-mqfr

Essentials
Severities (24)
References (6)
Severity details (10)
Exploits (0)
EPSS
History (1)

Vulnerability ID	VCID-du4b-tbxt-mqfr
Aliases	CVE-2023-39366
Summary	Cacti is an open source operational monitoring and fault management framework. Affected versions are subject to a Stored Cross-Site-Scripting (XSS) Vulnerability allows an authenticated user to poison data stored in the _cacti_'s database. These data will be viewed by administrative _cacti_ accounts and execute JavaScript code in the victim's browser at view-time. The `data_sources.php` script displays the data source management information (e.g. data source path, polling configuration etc.) for different data visualizations of the _cacti_ app. CENSUS found that an adversary that is able to configure a malicious Device name, can deploy a stored XSS attack against any user of the same (or broader) privileges. A user that possesses the _General Administration>Sites/Devices/Data_ permissions can configure the device names in _cacti_. This configuration occurs through `http://<HOST>/cacti/host.php`, while the rendered malicious payload is exhibited at `http://<HOST>/cacti/data_sources.php`. This vulnerability has been addressed in version 1.2.25. Users are advised to upgrade. Users unable to update should manually filter HTML output.
Status	Published
Exploitability	None
Weighted Severity	None
Risk	None
Affected and Fixed Packages	Package Details

Weaknesses (1)

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

System	Score	Found at
epss	0.00363	https://api.first.org/data/v1/epss?cve=CVE-2023-39366
epss	0.00363	https://api.first.org/data/v1/epss?cve=CVE-2023-39366
epss	0.00363	https://api.first.org/data/v1/epss?cve=CVE-2023-39366
epss	0.00363	https://api.first.org/data/v1/epss?cve=CVE-2023-39366
epss	0.00363	https://api.first.org/data/v1/epss?cve=CVE-2023-39366
epss	0.00363	https://api.first.org/data/v1/epss?cve=CVE-2023-39366
epss	0.00363	https://api.first.org/data/v1/epss?cve=CVE-2023-39366
epss	0.00363	https://api.first.org/data/v1/epss?cve=CVE-2023-39366
epss	0.00363	https://api.first.org/data/v1/epss?cve=CVE-2023-39366
epss	0.00363	https://api.first.org/data/v1/epss?cve=CVE-2023-39366
epss	0.00363	https://api.first.org/data/v1/epss?cve=CVE-2023-39366
epss	0.00363	https://api.first.org/data/v1/epss?cve=CVE-2023-39366
epss	0.00363	https://api.first.org/data/v1/epss?cve=CVE-2023-39366
epss	0.00363	https://api.first.org/data/v1/epss?cve=CVE-2023-39366
cvssv3.1	6.1	https://github.com/Cacti/cacti/security/advisories/GHSA-rwhh-xxm6-vcrv
ssvc	Track*	https://github.com/Cacti/cacti/security/advisories/GHSA-rwhh-xxm6-vcrv
cvssv3.1	6.1	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CFH3J2WVBKY4ZJNMARVOWJQK6PSLPHFH/
ssvc	Track*	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CFH3J2WVBKY4ZJNMARVOWJQK6PSLPHFH/
cvssv3.1	6.1	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WOQFYGLZBAWT4AWNMO7DU73QXWPXTCKH/
ssvc	Track*	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WOQFYGLZBAWT4AWNMO7DU73QXWPXTCKH/
cvssv3.1	6.1	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WZGB2UXJEUYWWA6IWVFQ3ZTP22FIHMGN/
ssvc	Track*	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WZGB2UXJEUYWWA6IWVFQ3ZTP22FIHMGN/
cvssv3.1	6.1	https://www.debian.org/security/2023/dsa-5550
ssvc	Track*	https://www.debian.org/security/2023/dsa-5550

Reference id	Reference type	URL
		https://api.first.org/data/v1/epss?cve=CVE-2023-39366
CFH3J2WVBKY4ZJNMARVOWJQK6PSLPHFH		https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CFH3J2WVBKY4ZJNMARVOWJQK6PSLPHFH/
dsa-5550		https://www.debian.org/security/2023/dsa-5550
GHSA-rwhh-xxm6-vcrv		https://github.com/Cacti/cacti/security/advisories/GHSA-rwhh-xxm6-vcrv
WOQFYGLZBAWT4AWNMO7DU73QXWPXTCKH		https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WOQFYGLZBAWT4AWNMO7DU73QXWPXTCKH/
WZGB2UXJEUYWWA6IWVFQ3ZTP22FIHMGN		https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WZGB2UXJEUYWWA6IWVFQ3ZTP22FIHMGN/

No exploits are available.

Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N Found at https://github.com/Cacti/cacti/security/advisories/GHSA-rwhh-xxm6-vcrv

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-09-26T19:20:41Z/ Found at https://github.com/Cacti/cacti/security/advisories/GHSA-rwhh-xxm6-vcrv

Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N Found at https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CFH3J2WVBKY4ZJNMARVOWJQK6PSLPHFH/

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-09-26T19:20:41Z/ Found at https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CFH3J2WVBKY4ZJNMARVOWJQK6PSLPHFH/

Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N Found at https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WOQFYGLZBAWT4AWNMO7DU73QXWPXTCKH/

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N Found at https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WZGB2UXJEUYWWA6IWVFQ3ZTP22FIHMGN/

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N Found at https://www.debian.org/security/2023/dsa-5550

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-09-26T19:20:41Z/ Found at https://www.debian.org/security/2023/dsa-5550

Exploit Prediction Scoring System (EPSS)

Percentile	0.58345
EPSS Score	0.00363
Published At	April 2, 2026, 12:55 p.m.

Date	Actor	Action	Source	VulnerableCode Version
2026-04-01T19:11:07.196118+00:00	Alpine Linux Importer	Import	https://secdb.alpinelinux.org/v3.23/community.json	38.0.0