Bug 1224233 (CVE-2024-30268)

Summary: VUL-0: CVE-2024-30268: cacti: reflected cross-site scripting vulnerability in display_settings
Product: [openSUSE] openSUSE Distribution Reporter: SMASH SMASH <smash_bz>
Component: SecurityAssignee: Andreas Stieger <Andreas.Stieger>
Status: RESOLVED INVALID QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P5 - None CC: camila.matos
Version: Leap 15.6   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/405121/
Whiteboard:
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description SMASH SMASH 2024-05-14 18:09:07 UTC 
Cacti provides an operational monitoring and fault management framework. A reflected cross-site scripting vulnerability on the 1.3.x DEV branch allows attackers to obtain cookies of administrator and other users and fake their login using obtained cookies. This issue is fixed in commit a38b9046e9772612fda847b46308f9391a49891e.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-30268
https://www.cve.org/CVERecord?id=CVE-2024-30268
https://github.com/Cacti/cacti/blob/08497b8bcc6a6037f7b1aae303ad8f7dfaf7364e/settings.php#L66
https://github.com/Cacti/cacti/commit/a38b9046e9772612fda847b46308f9391a49891e
https://github.com/Cacti/cacti/security/advisories/GHSA-9m3v-whmr-pc2q
Comment 3 Camila Camargo de Matos 2024-05-14 18:12:14 UTC 
Affected versions are 1.3.x only. Package cacti is not affected in any openSUSE codestream. Therefore, I will be closing the bug.