1. Home
  2. CVE Database
  3. CVE-2024-29894
MEDIUM · 5.4

CVE-2024-29894

Cacti provides an operational monitoring and fault management framework. Versions of Cacti prior to 1.2.27 contain a residual cross-site scripting vulnerability caused by an incomplete fix for CVE-202...

Vulnerability Description

Cacti provides an operational monitoring and fault management framework. Versions of Cacti prior to 1.2.27 contain a residual cross-site scripting vulnerability caused by an incomplete fix for CVE-2023-50250. `raise_message_javascript` from `lib/functions.php` now uses purify.js to fix CVE-2023-50250 (among others). However, it still generates the code out of unescaped PHP variables `$title` and `$header`. If those variables contain single quotes, they can be used to inject JavaScript code. An attacker exploiting this vulnerability could execute actions on behalf of other users. This ability to impersonate users could lead to unauthorized changes to settings. Version 1.2.27 fixes this issue.

CVSS Score

5.4

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality
NONE
Integrity
LOW
Availability
LOW

Affected Products

VendorProductVersions
CactiCacti< 1.2.27
FedoraprojectFedora39

Related Weaknesses (CWE)

CWE-116CWE-79

References

FAQ

What is CVE-2024-29894?

CVE-2024-29894 is a vulnerability with a CVSS score of 5.4 (MEDIUM). Cacti provides an operational monitoring and fault management framework. Versions of Cacti prior to 1.2.27 contain a residual cross-site scripting vulnerability caused by an incomplete fix for CVE-202...

How severe is CVE-2024-29894?

CVE-2024-29894 has been rated MEDIUM with a CVSS base score of 5.4/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2024-29894?

Check the references section above for vendor advisories and patch information. Affected products include: Cacti Cacti, Fedoraproject Fedora.