CVE-2021-23225
MEDIUMCacti 1.1.38 - Authenticated Stored Cross-Site Scripting via User Copy Function
Title source: llmDescription
Cacti 1.1.38 allows authenticated users with User Management permissions to inject arbitrary web script or HTML in the "new_username" field during creation of a new user via "Copy" method at user_admin.php.
References (2)
Core 2
Core References
Release Notes, Vendor Advisory x_refsource_misc
https://www.cacti.net/info/changelog
Mailing List, Third Party Advisory mailing-list
x_refsource_mlist
https://lists.debian.org/debian-lts-announce/2022/03/msg00038.html
Scores
CVSS v3
5.4
EPSS
0.0053
EPSS Percentile
41.4%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Details
CWE
CWE-79
Status
published
Products (2)
cacti/cacti
1.1.38
debian/debian_linux
9.0
Published
Jan 19, 2022
Tracked Since
Feb 18, 2026