Cacti Vulnerable to File Inclusion and SQL Injection Attacks
CVE-2024-31459

8.1HIGH

Key Information:

Vendor

Cacti

Status
Cacti
Vendor
CVE Published:
14 May 2024

What is CVE-2024-31459?

Cacti, a tool for operational monitoring and fault management, has a significant file inclusion vulnerability in its lib/plugin.php file prior to version 1.2.27. This issue arises within the api_plugin_hook() function, which directly uses data from the plugin_hooks and plugin_config tables to construct file paths. An attacker can exploit this flaw, especially when combined with SQL injection vulnerabilities, to execute arbitrary code remotely. Version 1.2.27 addresses this issue through a patch that mitigates the risk. Users are strongly advised to upgrade to the latest version to ensure protection against potential exploits.

Affected Version(s)

cacti < 1.2.27

References

https://github.com/Cacti/cacti/security/advisories/GHSA-c...
x_refsource_CONFIRM
https://github.com/Cacti/cacti/security/advisories/GHSA-g...
x_refsource_MISC
https://github.com/Cacti/cacti/security/advisories/GHSA-p...
x_refsource_MISC

CVSS V3.1

Score:
8.1
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
High
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.