CVE-2024-43365 MEDIUM

CVE-2024-43365: Stored Cross-site Scripting (XSS) when creating external links in Cacti

Vendor Cacti
Product cacti
Weakness CWE-79 · XSS
Published October 7, 2024
Last update November 3, 2025
View on NVD All CVEs

CVSS base score

5.7/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction Required
Confidentiality None
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H

What the vulnerability does

01Description

Cacti is an open source performance and fault management framework. The`consolenewsection` parameter is not properly sanitized when saving external links in links.php . Morever, the said consolenewsection parameter is stored in the database and reflected back to user in `index.php`, finally leading to stored XSS. Users with the privilege to create external links can manipulate the “consolenewsection” parameter in the http post request while creating external links to perform stored XSS attacks. The vulnerability known as XSS (Cross-Site Scripting) occurs when an application allows untrusted user input to be displayed on a web page without proper validation or escaping. This issue has been addressed in release version 1.2.28. All users are advised to upgrade. There are no known workarounds for this vulnerability.

Key dates

02Disclosure timeline

October 7, 2024 CVE published
November 3, 2025 Record updated

Related vulnerabilities

04Related CVE

CVE-2026-7294 SourceCodester Pizzafy Ecommerce System index.php save_settings cross site scripting CVE-2025-3752 Able Player, accessible HTML5 media player <= 1.2.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via preload Parameter CVE-2024-21724 [20240203] - Core - XSS in media selection fields CVE-2021-34354 Stored Cross-site Scripting Vulnerability in Photo Station CVE-2024-11192 Spotify Play Button for WordPress <= 2.11 - Authenticated (Contributor+) Stored Cross-Site Scripting via spotifyplaybutton Shortcode