Bug 1224233 (CVE-2024-30268) - VUL-0: CVE-2024-30268: cacti: reflected cross-site scripting vulnerability in display_settings
Summary: VUL-0: CVE-2024-30268: cacti: reflected cross-site scripting vulnerability in...
Status: RESOLVED INVALID
Alias: CVE-2024-30268
Product: openSUSE Distribution
Classification: openSUSE
Component: Security (show other bugs)
Version: Leap 15.6
Hardware: Other Other
: P5 - None : Normal (vote)
Target Milestone: ---
Assignee: Andreas Stieger
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/405121/
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2024-05-14 18:09 UTC by SMASH SMASH
Modified: 2024-05-14 18:12 UTC (History)
1 user (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description SMASH SMASH 2024-05-14 18:09:07 UTC 
Cacti provides an operational monitoring and fault management framework. A reflected cross-site scripting vulnerability on the 1.3.x DEV branch allows attackers to obtain cookies of administrator and other users and fake their login using obtained cookies. This issue is fixed in commit a38b9046e9772612fda847b46308f9391a49891e.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-30268
https://www.cve.org/CVERecord?id=CVE-2024-30268
https://github.com/Cacti/cacti/blob/08497b8bcc6a6037f7b1aae303ad8f7dfaf7364e/settings.php#L66
https://github.com/Cacti/cacti/commit/a38b9046e9772612fda847b46308f9391a49891e
https://github.com/Cacti/cacti/security/advisories/GHSA-9m3v-whmr-pc2q
Comment 3 Camila Camargo de Matos 2024-05-14 18:12:14 UTC 
Affected versions are 1.3.x only. Package cacti is not affected in any openSUSE codestream. Therefore, I will be closing the bug.