CVE-2020-7058 — Improper Input Validation in Cacti

CWE-20 — Improper Input Validation5 documents4 sources

Severity

8.8HIGHNVD

EPSS

0.8%

top 26.38%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Cacti Debian Cacti

Timeline

PublishedJan 15

Latest updateMay 24

Description

data_input.php in Cacti 1.2.8 allows remote code execution via a crafted Input String to Data Collection -> Data Input Methods -> Unix -> Ping Host. NOTE: the vendor has stated "This is a false alarm.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages2 packages

▶NVDcacti/cacti1.2.8

▶debiandebian/cacti

🔴Vulnerability Details

GHSA

GHSA-446h-xh8r-vwqx: ** DISPUTED ** data_input↗2022-05-24

▶

OSV

CVE-2020-7058: data_input↗2020-01-15

▶

OSV

CVE-2020-7058: ** DISPUTED ** data_input↗2020-01-15

▶

📋Vendor Advisories

Debian

CVE-2020-7058: cacti - data_input.php in Cacti 1.2.8 allows remote code execution via a crafted Input S...↗2020

▶