CVE-2023-49086: 
Cacti vulnerability analysis and mitigation

CVE-2023-49086 affects Cacti, a robust performance and fault management framework and frontend to RRDTool. The vulnerability was discovered in versions prior to 1.2.27 and involves bypassing an earlier fix for CVE-2023-39360, leading to a DOM XSS attack. The vulnerable component is identified as graphs_new.php (GitHub Advisory, NVD).

The vulnerability is a DOM-based Cross-Site Scripting (XSS) attack that affects authorized users. The issue stems from insufficient sanitization of data transferred from external sources in the graphs_new.php component. The vulnerability has a CVSS v3.1 base score of 5.4 (MEDIUM) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N, indicating network accessibility with low attack complexity, requiring low privileges and user interaction (GitHub Advisory).

When successfully exploited, the vulnerability allows the execution of arbitrary JavaScript code in the attacked user's browser. This can potentially lead to theft of sensitive information, session hijacking, or other client-side attacks (GitHub Advisory).

The vulnerability has been patched in Cacti version 1.2.27. Organizations are advised to upgrade to this version or later to address the security issue. The fix includes improved sanitization of data transferred from external sources (NVD, Fedora Update).