Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-xdbp-7rtr-fyb7
Vulnerability ID VCID-xdbp-7rtr-fyb7
Aliases CVE-2024-43365
Summary Cacti is an open source performance and fault management framework. The`consolenewsection` parameter is not properly sanitized when saving external links in links.php . Morever, the said consolenewsection parameter is stored in the database and reflected back to user in `index.php`, finally leading to stored XSS. Users with the privilege to create external links can manipulate the “consolenewsection” parameter in the http post request while creating external links to perform stored XSS attacks. The vulnerability known as XSS (Cross-Site Scripting) occurs when an application allows untrusted user input to be displayed on a web page without proper validation or escaping. This issue has been addressed in release version 1.2.28. All users are advised to upgrade. There are no known workarounds for this vulnerability.
Status Published
Exploitability 0.5
Weighted Severity 5.1
Risk 2.5
Affected and Fixed Packages Package Details
Weaknesses (1)
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
System Score Found at
epss 0.05293 https://api.first.org/data/v1/epss?cve=CVE-2024-43365
epss 0.05293 https://api.first.org/data/v1/epss?cve=CVE-2024-43365
epss 0.05293 https://api.first.org/data/v1/epss?cve=CVE-2024-43365
epss 0.05293 https://api.first.org/data/v1/epss?cve=CVE-2024-43365
epss 0.05293 https://api.first.org/data/v1/epss?cve=CVE-2024-43365
epss 0.05293 https://api.first.org/data/v1/epss?cve=CVE-2024-43365
epss 0.05293 https://api.first.org/data/v1/epss?cve=CVE-2024-43365
epss 0.05293 https://api.first.org/data/v1/epss?cve=CVE-2024-43365
cvssv3.1 5.7 https://github.com/Cacti/cacti/security/advisories/GHSA-49f2-hwx9-qffr
ssvc Track https://github.com/Cacti/cacti/security/advisories/GHSA-49f2-hwx9-qffr
Reference id Reference type URL
https://api.first.org/data/v1/epss?cve=CVE-2024-43365
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-43365
GHSA-49f2-hwx9-qffr https://github.com/Cacti/cacti/security/advisories/GHSA-49f2-hwx9-qffr
No exploits are available.
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H Found at https://github.com/Cacti/cacti/security/advisories/GHSA-49f2-hwx9-qffr
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-10-08T13:58:21Z/ Found at https://github.com/Cacti/cacti/security/advisories/GHSA-49f2-hwx9-qffr
Exploit Prediction Scoring System (EPSS)
Percentile 0.89975
EPSS Score 0.05293
Published At April 2, 2026, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2026-04-01T16:37:41.824567+00:00 Debian Oval Importer Import https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2 38.0.0