CVE-2023-39366: 
Cacti vulnerability analysis and mitigation

Cacti version 1.2.0 through 1.2.24 contains a Stored Cross-Site-Scripting (XSS) vulnerability that allows an authenticated user to poison data stored in the Cacti's database. The vulnerability was discovered in September 2023 and affects the data source management functionality. The vulnerability has been assigned CVE-2023-39366 and has been patched in version 1.2.25 (GitHub Advisory).

The vulnerability exists in the datasources.php script which displays data source management information. An attacker with 'General Administration>Sites/Devices/Data' permissions can configure malicious Device names through the host.php interface. When these malicious device names are rendered in datasources.php, the JavaScript code is executed in the victim's browser. The vulnerability occurs because user-supplied information is not properly escaped before being rendered in the HTML output (GitHub Advisory). The vulnerability has a CVSS v3.1 base score of 6.1 MEDIUM (CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N) (NVD).

If exploited, this vulnerability could allow an attacker to perform victim-account takeover, execute arbitrary actions on the platform as the victim user, redirect users to malicious websites, request sensitive information under the guise of the Cacti webpage, run browser-related exploits and attacks, or join a browser botnet for DDoS attacks (GitHub Advisory).

The vulnerability has been fixed in Cacti version 1.2.25. Users are advised to upgrade to this version. For users unable to update immediately, it is recommended to either make the affected content be a text element in the rendered HTML or escape the content using HTML entities to prevent malicious code execution (GitHub Advisory, Debian Security Advisory).