CVE-2023-39360: 
Cacti vulnerability analysis and mitigation

Cacti is an open source operational monitoring and fault management framework that contains a Stored Cross-Site-Scripting (XSS) vulnerability (CVE-2023-39360) discovered on September 5, 2023. The vulnerability affects versions prior to 1.2.25 and allows an authenticated user to poison data (GitHub Advisory).

The vulnerability is located in graphs_new.php where the returnto parameter is directly passed to form_save_button without proper validation. While some validations are performed, they can be bypassed if the returnto parameter contains host.php. The vulnerability has a CVSS v3.1 base score of 6.1 (Medium) with vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N (NVD).

The vulnerability allows an authenticated attacker to execute arbitrary JavaScript code in the victim's browser, potentially leading to unauthorized actions being performed on behalf of other users or complete account takeover (GitHub Advisory).

The vulnerability has been patched in Cacti version 1.2.25. Users are advised to upgrade to this version or later. For users unable to update immediately, it is recommended to manually filter HTML output (NVD).

Multiple Linux distributions have released security updates to address this vulnerability, including Fedora and Debian. Fedora released updates for versions 37, 38, and 39 (Fedora Update), while Debian included fixes in their security update DLA-3765-1 (Debian Update).