CVE-2023-39515: 
Cacti vulnerability analysis and mitigation

Cacti is an open source operational monitoring and fault management framework affected by a Stored Cross-Site-Scripting (XSS) vulnerability (CVE-2023-39515) discovered in September 2023. The vulnerability affects versions prior to 1.2.25 and allows an authenticated user to poison data stored in the cacti's database that will be executed when viewed by administrative accounts (GitHub Advisory).

The vulnerability exists in the data_debug.php script which displays data source related debugging information such as data source paths, polling settings, and meta-data. The issue occurs because the $real_path variable is rendered without proper escaping, allowing for stored XSS attacks. The vulnerability has a CVSS v3.1 base score of 4.8 (MEDIUM) according to NVD, with vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N (NVD).

When exploited, the vulnerability allows an attacker to execute arbitrary JavaScript code in the victim's browser when administrative users view the poisoned data. This could lead to account takeover, performing arbitrary actions as the victim user, redirecting users to malicious websites, data theft, or joining browser botnets for DDoS attacks (GitHub Advisory).

The vulnerability has been patched in Cacti version 1.2.25. Users are strongly advised to upgrade to this version or later. For users unable to update immediately, it is recommended to manually filter HTML output. Multiple Linux distributions have also released security updates including Debian and Fedora (Debian Advisory, Fedora Update).