CVE-2023-49088 MEDIUM

CVE-2023-49088: Cacti has incomplete fix for CVE-2023-39515

Vendor Cacti
Product cacti
Weakness CWE-79 · XSS
Published December 22, 2023
Last update February 25, 2026
View on NVD All CVEs

CVSS base score

6.1/10
Attack vector Network
Attack complexity Low
Privileges required High
User interaction Required
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N

What the vulnerability does

01Description

Cacti is an open source operational monitoring and fault management framework. The fix applied for CVE-2023-39515 in version 1.2.25 is incomplete as it enables an adversary to have a victim browser execute malicious code when a victim user hovers their mouse over the malicious data source path in `data_debug.php`. To perform the cross-site scripting attack, the adversary needs to be an authorized cacti user with the following permissions: `General Administration>Sites/Devices/Data`. The victim of this attack could be any account with permissions to view `http://<HOST>/cacti/data_debug.php`. As of time of publication, no complete fix has been included in Cacti.

Key dates

02Disclosure timeline

December 22, 2023 CVE published
February 25, 2026 Record updated

Related vulnerabilities

04Related CVE

CVE-2021-24187 SEO Redirection < 6.4 - Authenticated Reflected Cross-Site Scripting (XSS) CVE-2025-47673 WordPress Arconix Shortcodes plugin <= 2.1.16 - Reflected Cross Site Scripting (XSS) vulnerability CVE-2023-24374 WordPress Material Design Icons for Page Builders Plugin <= 1.4.2 is vulnerable to Cross Site Scripting (XSS) CVE-2023-24957 IBM Business Automation Workflow cross-site scripting CVE-2021-1245 Cisco Finesse OpenSocial Gadget Editor Cross-Site Scripting Vulnerability