Public exploit available

Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2023-39361 — SQL Injection in Cacti

CWE-89 — SQL Injection5 documents5 sources

Severity

9.8CRITICALNVD

EPSS

92.3%

top 0.28%

CISA KEV

Not in KEV

Exploit

PoC available

Public exploit / PoC exists

Affected products

Cacti Debian Cacti Fedoraproject Fedora

Timeline

PublishedSep 5

Latest updateApr 2

Description

Cacti is an open source operational monitoring and fault management framework. Affected versions are subject to a SQL injection discovered in graph_view.php. Since guest users can access graph_view.php without authentication by default, if guest users are being utilized in an enabled state, there could be the potential for significant damage. Attackers may exploit this vulnerability, and there may be possibilities for actions such as the usurpation of administrative privileges or remote code exe…

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages4 packages

▶CVEListV5cacti/cacti< 1.2.25

▶debiandebian/cacti< cacti 1.2.24+ds1-1+deb12u1 (bookworm)

▶Debiancacti/cacti< 1.2.16+ds1-2+deb11u2+3

▶NVDcacti/cacti1.2.24

Also affects: Fedora 37, 38

🔴Vulnerability Details

OSV

CVE-2023-39361: Cacti is an open source operational monitoring and fault management framework↗2023-09-05

▶

💥Exploits & PoCs

Nuclei

Cacti 1.2.24 - SQL Injection

▶

📋Vendor Advisories

Ubuntu

Cacti vulnerability↗2024-04-02

▶

Debian

CVE-2023-39361: cacti - Cacti is an open source operational monitoring and fault management framework. A...↗2023

▶