Bug 1215058 (CVE-2023-39515)

Summary: VUL-0: CVE-2023-39515: cacti: Cross-Site Scripting vulnerability with Data Source Name when debugging Data Queries
Product: [Novell Products] SUSE Security Incidents Reporter: Cathy Hu <cathy.hu>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: Andreas.Stieger, security-team
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/377365/
Whiteboard: CVSSv3.1:SUSE:CVE-2023-39515:6.1:(AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Bug Depends on:    
Bug Blocks: 1215024    

Description Cathy Hu 2023-09-06 08:37:21 UTC 
CVE-2023-39515

Cacti is an open source operational monitoring and fault management framework.
Affected versions are subject to a Stored Cross-Site-Scripting (XSS)
Vulnerability allows an authenticated user to poison data stored in the cacti's
database. These data will be viewed by administrative cacti accounts and execute
JavaScript code in the victim's browser at view-time. The script under
`data_debug.php` displays data source related debugging information such as
_data source paths, polling settings, meta-data on the data source_. _CENSUS_
found that an adversary that is able to configure a malicious data-source path,
can deploy a stored XSS attack against any user that has privileges related to
viewing the `data_debug.php` information. A user that possesses the _General
Administration>Sites/Devices/Data_ permissions can configure the data source
path in _cacti_. This configuration occurs through
`http://<HOST>/cacti/data_sources.php`. This vulnerability has been addressed in
version 1.2.25. Users are advised to upgrade. Users unable to update should
manually filter HTML output.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-39515
https://bugzilla.redhat.com/show_bug.cgi?id=2237584
https://www.cve.org/CVERecord?id=CVE-2023-39515
https://github.com/Cacti/cacti/security/advisories/GHSA-hrg9-qqqx-wc4h
Comment 1 Cathy Hu 2023-09-06 08:37:45 UTC 
Affected:
- openSUSE:Factory/cacti 1.2.24
- openSUSE:Backports:SLE-15-SP4/cacti 1.2.20
- openSUSE:Backports:SLE-15-SP5/cacti 1.2.23
Comment 2 Andreas Stieger 2023-09-06 20:47:20 UTC 
submitted
Comment 3 OBSbugzilla Bot 2023-09-06 21:35:28 UTC 
This is an autogenerated message for OBS integration:
This bug (1215058) was mentioned in
https://build.opensuse.org/request/show/1109347 Factory / cacti
https://build.opensuse.org/request/show/1109349 Backports:SLE-12+Backports:SLE-15-SP4+Backports:SLE-15-SP5 / cacti+cacti-spine
Comment 4 Cathy Hu 2023-09-25 12:20:48 UTC 
done, closing
Comment 5 Andreas Stieger 2023-09-25 12:35:17 UTC 
Reopening: Maintenance release request is still open, and waiting for reviews from qam-openqa and backports-reviewers.
https://build.opensuse.org/request/show/1109493
Comment 6 Marcus Meissner 2023-09-26 19:06:11 UTC 
openSUSE-SU-2023:0275-1: An update that fixes 17 vulnerabilities is now available.

Category: security (important)
Bug References: 1215040,1215042,1215043,1215044,1215045,1215047,1215050,1215051,1215052,1215053,1215054,1215055,1215056,1215058,1215059,1215081,1215082
CVE References: CVE-2023-30534,CVE-2023-39357,CVE-2023-39358,CVE-2023-39359,CVE-2023-39360,CVE-2023-39361,CVE-2023-39362,CVE-2023-39364,CVE-2023-39365,CVE-2023-39366,CVE-2023-39510,CVE-2023-39511,CVE-2023-39512,CVE-2023-39513,CVE-2023-39514,CVE-2023-39515,CVE-2023-39516
JIRA References: 
Sources used:
SUSE Package Hub for SUSE Linux Enterprise 12 (src):    cacti-1.2.25-35.1, cacti-spine-1.2.25-29.1
Comment 7 Marcus Meissner 2023-09-26 19:07:44 UTC 
openSUSE-SU-2023:0275-1: An update that fixes 17 vulnerabilities is now available.

Category: security (important)
Bug References: 1215040,1215042,1215043,1215044,1215045,1215047,1215050,1215051,1215052,1215053,1215054,1215055,1215056,1215058,1215059,1215081,1215082
CVE References: CVE-2023-30534,CVE-2023-39357,CVE-2023-39358,CVE-2023-39359,CVE-2023-39360,CVE-2023-39361,CVE-2023-39362,CVE-2023-39364,CVE-2023-39365,CVE-2023-39366,CVE-2023-39510,CVE-2023-39511,CVE-2023-39512,CVE-2023-39513,CVE-2023-39514,CVE-2023-39515,CVE-2023-39516
JIRA References: 
Sources used:
openSUSE Backports SLE-15-SP5 (src):    cacti-1.2.25-bp155.2.3.1, cacti-spine-1.2.25-bp155.2.3.1
openSUSE Backports SLE-15-SP4 (src):    cacti-1.2.25-bp154.2.9.1, cacti-spine-1.2.25-bp154.2.9.1
SUSE Package Hub for SUSE Linux Enterprise 12 (src):    cacti-1.2.25-35.1, cacti-spine-1.2.25-29.1
Comment 8 Andreas Stieger 2023-09-26 19:10:14 UTC 
all done now, closing