PT-2024-11: Local file Inclusion in Cacti

HIGH

(8.7) CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

THREATSCAPE

Analytics articles

10 December 2024
Artificial intelligence in cyberattacks
9 December 2024
A look at India through the dark web: what hackers are after
27 November 2024
Cyberthreats in the financial industry: H2 2023 – H1 2024

What are the security threats on your network?

Check your traffic-for free

Request pilot

Vendor: Cacti

Product: Cacti

Vulnerable version: 1.2.25

Vulnerability type:

- CWE-98: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')

Identifier (ID):

BDU:2024-03557

CVE-2023-49084

Vulnerability vector:

- Base vulnerability score (CVSSv3.1): CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

- Severity (CVSSv3.1): 8.8 (high)

- Base vulnerability score (CVSSv4.0): CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

- Severity (CVSSv4.0): 8.7 (high)

Description:

The vulnerability was identified in Cacti version 1.2.25 and below. It leads to the possibility of executing arbitrary code on the server. The vulnerability can be exploited by an authorized user using SQL injection and due to insufficient processing of the path to the included file.

Vulnerability status: Confirmed by vendor

Date of vulnerability detection: 20.12.2023

Recommendations: Update to version 1.2.26 or higher

Additional information: Security Advisory

Researcher: Aleksey Solovev (Positive Technologies)

Identifier:

CVE-2023-49084

Vendor:

Cacti

Vulnerable product:

Cacti

Get in touch

Fill in the form and our specialists
will contact you shortly

General
questions

We're happy to answer any questions you may have.

Partnership

Join us in making the world a safer place.

Pilot
application

Test drive our solutions with a customized pilot program.