Cross-site scripting in Cacti - CVE-2024-43365

 

Cross-site scripting in Cacti - CVE-2024-43365

Published: October 7, 2024 / Updated: June 19, 2026


Vulnerability identifier: #VU134953
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear
CVE-ID: CVE-2024-43365
CWE-ID: CWE-79
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: The Cacti Group, Inc.
Affected software:
Cacti

Detailed vulnerability description

The vulnerability allows a remote user to cause a denial of service.

The vulnerability exists due to cross-site scripting in the consolenewsection parameter in links.php and its rendering in index.php when creating and viewing external links. A remote user can submit a specially crafted HTTP POST request to cause a denial of service.

The injected input is stored in the database and later reflected to users, and user interaction is required to view the malicious external link entry.


How to mitigate CVE-2024-43365

Install security update from vendor's website.

Sources