Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact
NA

CVE-2024-29895

Published: 14/05/2024 Updated: 14/05/2024

Vulnerability Summary

Cacti provides an operational monitoring and fault management framework. A command injection vulnerability on the 1.3.x DEV branch allows any unauthenticated user to execute arbitrary command on the server when `register_argc_argv` option of PHP is `On`. In `cmd_realtime.php` line 119, the `$poller_id` used as part of the command execution is sourced from `$_SERVER['argv']`, which can be controlled by URL when `register_argc_argv` option of PHP is `On`. And this option is `On` by default in many environments such as the main PHP Docker image for PHP. Commit 53e8014d1f082034e0646edc6286cde3800c683d contains a patch for the issue, but this commit was reverted in commit 99633903cad0de5ace636249de16f77e57a3c8fc.

Vulnerability Trend

Vendor Advisories

Check Point Security Alerts: Cacti Command Injection (CVE-2024-29895)
Check Point Reference: CPAI-2024-0293 Date Published: 16 May 2024 Severity: Critical ...

Github Repositories

https://github.com/Rubioo02/CVE-2024-29895

CVE-2024-29895 | RCE on CACTI 1.3.X dev

CVE-2024-29895 - RCE ON CACTI WarningThis is an educational project, I am not responsible for any use Usage: python3 pocpy -c whoami [-u targetcom] [-f urlstxt] Cacti versions 13X dev where cmd_realtimephp is present and register_argc_argv option is ON Command injection is possible thanks to a bug in an endpoint via get request Dork: Google: inurl:cmd_realtimep

https://github.com/secunnix/CVE-2024-29895

Cacti CVE-2024-29895 POC

CVE-2024-29895 Cacti CVE-2024-29895 POC

https://github.com/ticofookfook/CVE-2024-29895.py

Cacti RCE - CVE-2024-29895 Usage: python3 cve-2024-29895py -u targetcom/ -c id Affecting Cacti versions 13X on DEV builds where cmd_realtimephp is present and POLLER_ID is enabled Command Injection is possible via this endpoint, by requesting via GET with payload as HTML Query Parameters Dork: Google: inurl:cmd_realtimephp Shodan: Cacti Hunterhow: /productname=

https://github.com/nancyariah4/CVE-2024-29895-CactiRCE-PoC

CVE-2024-29895-CactiRCE-PoC , RCE, POC, CVE-2024-29895

Cacti RCE - CVE-2024-29895 Usage: `python3 CVE-2024-29895py -u targetcom/ Affecting Cacti versions 13X on DEV builds where cmd_realtimephp is present and POLLER_ID is enabled Command Injection is possible via this endpoint, by requesting via GET with payload as HTML Query Parameters so this script will create the user eviladmin Dork: Google: inurl:cmd_realtimeph

References

https://github.com/Cacti/cacti/security/advisories/GHSA-cr28-x256-xf5mhttps://github.com/Cacti/cacti/commit/53e8014d1f082034e0646edc6286cde3800c683dhttps://github.com/Cacti/cacti/commit/99633903cad0de5ace636249de16f77e57a3c8fchttps://github.com/Cacti/cacti/blob/501712998589763d411a68d35e3cda98fd9cfd18/cmd_realtime.php#L119https://nvd.nist.govhttps://github.com/Rubioo02/CVE-2024-29895https://advisories.checkpoint.com/defense/advisories/public/2024/cpai-2024-0293.html
VMScore
CVSSv2
CVSSv3
VMScore
Recommendations:
CVE-2023-7073CVE-2024-5496CVE-2024-5495XPath injectionbypassCVE-2024-30043CVE-2024-24919denial of serviceCVE-2024-35468
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook