Critical Flaws in Cacti Framework Could Let Attackers Execute Malicious Code
May 14, 2024
Network Monitoring / Vulnerability
The maintainers of the Cacti open-source network monitoring and fault management framework have addressed a dozen security flaws, including two critical issues that could lead to the execution of arbitrary code. The most severe of the vulnerabilities are listed below - CVE-2024-25641 (CVSS score: 9.1) - An arbitrary file write vulnerability in the "Package Import" feature that allows authenticated users having the "Import Templates" permission to execute arbitrary PHP code on the web server, resulting in remote code execution CVE-2024-29895 (CVSS score: 10.0) - A command injection vulnerability allows any unauthenticated user to execute arbitrary command on the server when the " register_argc_argv " option of PHP is On Also addressed by Cacti are two other high-severity flaws that could lead to code execution via SQL injection and file inclusion - CVE-2024-31445 (CVSS score: 8.8) - An SQL injection vulnerability in api_automation.php that ...
