Cross-site scripting in Cacti - CVE-2024-43362

 

Cross-site scripting in Cacti - CVE-2024-43362

Published: October 7, 2024 / Updated: June 19, 2026


Vulnerability identifier: #VU134954
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear
CVE-ID: CVE-2024-43362
CWE-ID: CWE-79
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: The Cacti Group, Inc.
Affected software:
Cacti

Detailed vulnerability description

The vulnerability allows a remote user to execute arbitrary script in a victim's browser.

The vulnerability exists due to cross-site scripting in the external links functionality when processing the fileurl parameter while creating external links. A remote user can submit a specially crafted fileurl value to execute arbitrary script in a victim's browser.

User interaction is required to view the affected page, and exploitation can occur when the victim opens the main console page or the external link view page.


How to mitigate CVE-2024-43362

Install security update from vendor's website.

Sources