Wiz
Vulnerability DatabaseCVE-2023-49088

CVE-2023-49088
Cacti vulnerability analysis and mitigation

Overview

CVE-2023-49088 is a Cross-Site Scripting (XSS) vulnerability in Cacti, an open source operational monitoring and fault management framework. The vulnerability was discovered as an incomplete fix for CVE-2023-39515 in version 1.2.25, which enables an adversary to execute malicious code in a victim's browser when they hover their mouse over a malicious data source path in data_debug.php. The vulnerability was disclosed in December 2023 and affects Cacti version 1.2.25 (GitHub Advisory).

Technical details

The vulnerability stems from improper handling of tooltip content in jquery-ui implementation. While HTML encoding was applied to the 'title' attribute and 'value' of the data source path, the 'title' attribute is passed to jquery-ui in an unsafe way. The issue occurs because Cacti overrides jquery-ui's default tooltip behavior in layout.js and managers.php, allowing HTML content in tooltips without proper sanitization. When HTML encoded data is placed in an HTML attribute value, the browser transforms these to proper values, effectively nullifying the HTML encoding protection (GitHub Advisory).

Impact

When successfully exploited, the vulnerability allows attackers to perform various malicious actions including victim-account takeover, executing arbitrary actions as the victim user, redirecting users to malicious websites, requesting sensitive information under the guise of the Cacti webpage, running browser-related exploits, and potentially incorporating the victim's browser into a botnet for DDoS attacks. The vulnerability has been assigned a CVSS v3.1 score of 6.1 (Medium) with vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N (GitHub Advisory).

Mitigation and workarounds

As of the initial disclosure, no complete fix has been included in Cacti. The recommended mitigation is to avoid using HTML content in tooltips of jquery-ui and revert the tooltip processing flow to its default behavior. If HTML content in tooltips is required, the 'title' value should be passed through a sanitization process like 'HTML purifier' before being displayed (GitHub Advisory).

Additional resources

SourceThis report was generated using AI

Related Cacti vulnerabilities:

CVE ID

Severity

Score

Technologies

Component name

CISA KEV exploit

Has fix

Published date

CVE-2025-26520CRITICAL9.8
  • CactiCacti
  • cacti
NoYesFeb 12, 2025
CVE-2005-10004HIGH8.7
  • CactiCacti
  • cacti
NoYesAug 30, 2025
CVE-2025-24367HIGH8.7
  • CactiCacti
  • cacti
NoYesJan 27, 2025
CVE-2025-66399HIGH7.4
  • CactiCacti
  • cacti
NoYesDec 02, 2025
CVE-2025-24368MEDIUM6.9
  • CactiCacti
  • cacti
NoYesJan 27, 2025

Free Vulnerability Assessment

Benchmark your Cloud Security Posture

Evaluate your cloud security practices across 9 security domains to benchmark your risk level and identify gaps in your defenses.

Request assessment

Additional Wiz resources

Cloud Vulnerability DB

Cloud Vulnerability DB

A community-led vulnerabilities database

Cloud Threat Landscape

Cloud Threat Landscape

A threat intelligence database

PEACH

PEACH

A tenant isolation framework

Get a personalized demo

Ready to see Wiz in action?

"Best User Experience I have ever seen, provides full visibility to cloud workloads."
David EstlickCISO
"Wiz provides a single pane of glass to see what is going on in our cloud environments."
Adam FletcherChief Security Officer
"We know that if Wiz identifies something as critical, it actually is."
Greg PoniatowskiHead of Threat and Vulnerability Management
Get a demo