Published: 05/09/2023 Updated: 18/03/2024

CVSS v3 Base Score: 7.2 | Impact Score: 5.9 | Exploitability Score: 1.2

VMScore: 0

Cacti is an open source operational monitoring and fault management framework. In Cacti 1.2.24, under certain conditions, an authenticated privileged user, can use a malicious string in the SNMP options of a Device, performing command injection and obtaining remote code execution on the underlying server. The `lib/snmp.php` file has a set of functions, with similar behavior, that accept in input some variables and place them into an `exec` call without a proper escape or validation. This issue has been addressed in version 1.2.25. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Vulnerable Product	Search on Vulmon	Subscribe to Product
cacti cacti
fedoraproject fedora 37
fedoraproject fedora 38

Multiple security vulnerabilities have been discovered in Cacti, a web interface for graphing of monitoring systems, which could result in cross-site scripting, SQL injection, an open redirect or command injection For the oldstable distribution (bullseye), these problems have been fixed in version 1216+ds1-2+deb11u2 For the stable distribution ...

Cacti is an open source operational monitoring and fault management framework In Cacti 1224, under certain conditions, an authenticated privileged user, can use a malicious string in the SNMP options of a Device, performing command injection and obtaining remote code execution on the underlying server The `lib/snmpphp` file has a set of functi ...

Cacti version 1224 authenticated command injection exploit that uses SNMP options ...

WARNING: This is a vulnerable application to test the exploit for the Cacti command injection (CVE-2023-39362). Run it at your own risk!

Cacti v1224 authenticated command injection (CVE-2023-39362) vulnerable application This is a vulnerable application to test the exploit for the Cacti vulnerability (CVE-2023-39362) WARNING! This application contains serious security vulnerabilities Run it at your own risk! It is recommended using a backed-up and sheltered environment (such as a VM with a recent snapshot an

Command injection vulnerability in Cacti (CVE-2023-39362) - PoC This repo is forked from this repo: githubcom/m3ssap0/cacti-rce-snmp-options-vulnerable-application Cacti is an open-source operational monitoring and fault management framework, continually evolving to meet the dynamic needs of its user community In version 1224, a potential security vulnerability mark

CWE-78 https://github.com/Cacti/cacti/security/advisories/GHSA-g6ff-58cj-x3cp http://packetstormsecurity.com/files/175029/Cacti-1.2.24-Command-Injection.html https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WZGB2UXJEUYWWA6IWVFQ3ZTP22FIHMGN/https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CFH3J2WVBKY4ZJNMARVOWJQK6PSLPHFH/https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WOQFYGLZBAWT4AWNMO7DU73QXWPXTCKH/https://www.debian.org/security/2023/dsa-5550 https://lists.debian.org/debian-lts-announce/2024/03/msg00018.html https://www.debian.org/security/2023/dsa-5550 https://nvd.nist.gov https://github.com/m3ssap0/cacti-rce-snmp-options-vulnerable-application

CVE-2023-39362

Vulnerability Summary

Vendor Advisories

Exploits

Github Repositories

References

Vulmon Search

About

Products

Connect