CVE-2023-39365: 
Cacti vulnerability analysis and mitigation

CVE-2023-39365 affects Cacti, an open source operational monitoring and fault management framework. The vulnerability was discovered in the Regular Expression validation combined with the external links feature, which can lead to SQL Injections and subsequent data leakage. The issue was disclosed on September 5, 2023, and has been addressed in version 1.2.25 (GitHub Advisory).

The vulnerability has received varying CVSS scores from different organizations, with NVD assigning a CVSS v3.1 base score of 6.3 (Medium) with vector CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L, while GitHub assigned a score of 4.6 (Medium) with vector CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:L. The vulnerability is classified as CWE-89 (SQL Injection) (NVD).

The vulnerability can result in limited SQL Injections leading to data leakage from the affected Cacti installations. The impact affects confidentiality, integrity, and availability of the system, though all at a Low severity level according to the CVSS metrics (NVD).

The vulnerability has been fixed in Cacti version 1.2.25. Users are strongly advised to upgrade to this version or later. There are no known workarounds for this vulnerability. Various Linux distributions have also released security updates, including Debian and Fedora (Debian Security, Fedora Update).