CVE-2023-49084
published 2023-12-21CVE-2023-49084: Cacti is a robust performance and fault management framework and a frontend to RRDTool - a Time Series Database (TSDB). While using the detected SQL Injection…
PriorityP278high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
63.77%
99.1th percentile
Cacti is a robust performance and fault management framework and a frontend to RRDTool - a Time Series Database (TSDB). While using the detected SQL Injection and insufficient processing of the include file path, it is possible to execute arbitrary code on the server. Exploitation of the vulnerability is possible for an authorized user. The vulnerable component is the `link.php`. Impact of the vulnerability execution of arbitrary code on the server.
Affected
7 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| cacti | cacti | — | — |
| cacti | cacti | — | — |
| cacti | cacti | >= 0 < 1.2.16+ds1-2+deb11u3 | 1.2.16+ds1-2+deb11u3 |
| cacti | cacti | >= 0 < 1.2.24+ds1-1+deb12u2 | 1.2.24+ds1-1+deb12u2 |
| cacti | cacti | >= 0 < 1.2.26+ds1-1 | 1.2.26+ds1-1 |
| cacti | cacti | >= 0 < 1.2.26+ds1-1 | 1.2.26+ds1-1 |
| debian | cacti | < cacti 1.2.24+ds1-1+deb12u2 (bookworm) | cacti 1.2.24+ds1-1+deb12u2 (bookworm) |
Detection & IOCsextracted from sources · hover to see the quote
- →CVE-2023-49084 is a Local File Inclusion (LFI) vulnerability in Cacti's link.php, chained with a SQL Injection (CVE-2023-49085) in pollers.php to achieve Remote Code Execution. Monitor for unusual include path parameters in requests to link.php. ↗
- →A public Metasploit module (cacti_pollers_sqli_rce) exists for this CVE chain. Monitor for exploitation attempts targeting /cacti/link.php and /cacti/pollers.php from authenticated sessions. ↗
- →Exploitation requires an authenticated user with 'Sites/Devices/Data' permission under 'General Administration'. Audit Cacti user permissions and alert on privilege assignments to this section. ↗
- ·Exploitation requires authentication — unauthenticated attackers cannot directly trigger this vulnerability. Ensure Cacti login endpoints are not exposed publicly and enforce strong credential policies. ↗
- ·This CVE (LFI in link.php) is only exploitable in combination with CVE-2023-49085 (SQLi in pollers.php). Both vulnerabilities must be present; patching either one breaks the full RCE chain. Upgrade Cacti to 1.2.26 or later. ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
osv8.8HIGH
vendor_debian8.0HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Debian
CVE-2023-49084: cacti - Cacti is a robust performance and fault management framework and a frontend to R...
vendor_debian·2023·CVSS 8.0
CVE-2023-49084 [HIGH] CVE-2023-49084: cacti - Cacti is a robust performance and fault management framework and a frontend to R...
Cacti is a robust performance and fault management framework and a frontend to RRDTool - a Time Series Database (TSDB). While using the detected SQL Injection and insufficient processing of the include file path, it is possible to execute arbitrary code on the server. Exploitation of the vulnerability is possible for an authorized user. The vulnerable component is the `link.php`. Impact of the vulnerability execution of arbitrary code on the server.
Scope: local
bookworm: resolved (fixed in 1.2.24+ds1-1+deb12u2)
bullseye: resolved (fixed in 1.2.16+ds1-2+deb11u3)
forky: resolved (fixed in 1.2.26+ds1-1)
sid: resolved (fixed in 1.2.26+ds1-1)
trixie: resolved (fixed in 1.2.26+ds1-1)
OSV
CVE-2023-49084: Cacti is a robust performance and fault management framework and a frontend to RRDTool - a Time Series Database (TSDB)
osv·2023-12-21·CVSS 8.8
CVE-2023-49084 [HIGH] CVE-2023-49084: Cacti is a robust performance and fault management framework and a frontend to RRDTool - a Time Series Database (TSDB)
Cacti is a robust performance and fault management framework and a frontend to RRDTool - a Time Series Database (TSDB). While using the detected SQL Injection and insufficient processing of the include file path, it is possible to execute arbitrary code on the server. Exploitation of the vulnerability is possible for an authorized user. The vulnerable component is the `link.php`. Impact of the vulnerability execution of arbitrary code on the server.
No detection rules found.
No writeups or analysis indexed.
http://packetstormsecurity.com/files/176995/Cacti-pollers.php-SQL-Injection-Remote-Code-Execution.htmlhttps://github.com/Cacti/cacti/security/advisories/GHSA-pfh9-gwm6-86vphttps://lists.debian.org/debian-lts-announce/2024/03/msg00018.htmlhttps://lists.fedoraproject.org/archives/list/[email protected]/message/RBEOAFKRARQHTDIYSL723XAFJ2Q6624X/http://packetstormsecurity.com/files/176995/Cacti-pollers.php-SQL-Injection-Remote-Code-Execution.htmlhttps://github.com/Cacti/cacti/security/advisories/GHSA-pfh9-gwm6-86vphttps://lists.debian.org/debian-lts-announce/2024/03/msg00018.htmlhttps://lists.fedoraproject.org/archives/list/[email protected]/message/RBEOAFKRARQHTDIYSL723XAFJ2Q6624X/
2023-12-21
Published