CVE-2024-43364

Name	CVE-2024-43364
Description	Cacti is an open source performance and fault management framework. The `title` parameter is not properly sanitized when saving external links in links.php . Morever, the said title parameter is stored in the database and reflected back to user in index.php, finally leading to stored XSS. Users with the privilege to create external links can manipulate the `title` parameter in the http post request while creating external links to perform stored XSS attacks. The vulnerability known as XSS (Cross-Site Scripting) occurs when an application allows untrusted user input to be displayed on a web page without proper validation or escaping. This issue has been addressed in release version 1.2.28. All users are advised to upgrade. There are no known workarounds for this vulnerability.
Source	CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
cacti (PTS)	jessie, jessie (lts)	0.8.8b+dfsg-8+deb8u10	vulnerable
	stretch (security), stretch (lts), stretch	0.8.8h+ds1-10+deb9u2	vulnerable
	buster (security), buster, buster (lts)	1.2.2+ds1-2+deb10u6	vulnerable
	bullseye	1.2.16+ds1-2+deb11u3	vulnerable
	bullseye (security)	1.2.16+ds1-2+deb11u4	vulnerable
	bookworm	1.2.24+ds1-1+deb12u4	vulnerable
	bookworm (security)	1.2.24+ds1-1+deb12u2	vulnerable
	sid, trixie	1.2.28+ds1-2	fixed

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Urgency
cacti	source	jessie	(unfixed)	end-of-life
cacti	source	stretch	(unfixed)	end-of-life
cacti	source	buster	(unfixed)	end-of-life
cacti	source	(unstable)	1.2.28+ds1-1

https://github.com/Cacti/cacti/security/advisories/GHSA-fgc6-g8gc-wcg5