CVE-2023-49084

Exploit

EPSS 88.34%
Published 21.12.2023 23:15:09
Last modified 21.11.2024 08:32:47
Source security-advisories@github.com
Teams watchlist Login
Open Login

Cacti is a robust performance and fault management framework and a frontend to RRDTool - a Time Series Database (TSDB). While using the detected SQL Injection and insufficient processing of the include file path, it is possible to execute arbitrary code on the server. Exploitation of the vulnerability is possible for an authorized user. The vulnerable component is the `link.php`. Impact of the vulnerability execution of arbitrary code on the server.

Affected products Warnungen 0 Metrics 3 CWE 1 References 7

Data is provided by the National Vulnerability Database (NVD)

Cacti ≫ Cacti Version1.2.25

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	88.34%	0.995

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	8.8	2.8	5.9	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
security-advisories@github.com	8	1.3	6	CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H

CWE-98 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')

The PHP application receives input from an upstream component, but it does not restrict or incorrectly restricts the input before its usage in "require," "include," or similar functions.

https://lists.debian.org/debian-lts-announce/2024/03/msg00018.html

http://packetstormsecurity.com/files/176995/Cacti-pollers.php-SQL-Injection-Remote-Code-Execution.html

https://github.com/Cacti/cacti/security/advisories/GHSA-pfh9-gwm6-86vp

Vendor Advisory

Exploit

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RBEOAFKRARQHTDIYSL723XAFJ2Q6624X/

https://nvd.nist.gov/vuln/detail/CVE-2023-49084

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2023-49084

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2023-49084

EUVD