CVE-2014-4000 — Code Injection in Cacti

CWE-94 — Code Injection9 documents7 sources

Severity

8.8HIGHNVD

EPSS

1.1%

top 21.93%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Cacti Debian Cacti

Timeline

PublishedNov 15

Latest updateMay 17

Description

Cacti before 1.0.0 allows remote authenticated users to conduct PHP object injection attacks and execute arbitrary PHP code via a crafted serialized object, related to calling unserialize(stripslashes()).

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages3 packages

▶NVDcacti/cacti< 1.0.0

▶debiandebian/cacti< cacti 0.8.8e+ds1-1 (bookworm)

▶Debiancacti/cacti< 0.8.8e+ds1-1+3

🔴Vulnerability Details

GHSA

GHSA-gr67-7v65-6xcw: Cacti before 1↗2022-05-17

▶

OSV

CVE-2014-4000: Cacti before 1↗2017-11-15

▶

💥Exploits & PoCs

Exploit-DB

SHARP MX Series - Denial of Service↗2014-08-09

▶

📋Vendor Advisories

Debian

CVE-2014-4000: cacti - Cacti before 1.0.0 allows remote authenticated users to conduct PHP object injec...↗2014

▶

💬Community

Bugzilla

CVE-2014-4000 cacti: Multiple issues fixed in 1.0.0 version [epel-all]↗2017-01-30

▶

Bugzilla

CVE-2014-4000 cacti: Multiple issues fixed in 1.0.0 version↗2017-01-30

▶

Bugzilla

CVE-2014-4000 cacti: Multiple issues fixed in 1.0.0 version [fedora-all]↗2017-01-30

▶