CVE-2023-49084
Local File Inclusion (RCE) in Cacti
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
2Exploited in Wild
-Decision
Descriptions
Cacti is a robust performance and fault management framework and a frontend to RRDTool - a Time Series Database (TSDB). While using the detected SQL Injection and insufficient processing of the include file path, it is possible to execute arbitrary code on the server. Exploitation of the vulnerability is possible for an authorized user. The vulnerable component is the `link.php`. Impact of the vulnerability execution of arbitrary code on the server.
Cacti es un framework robusto de gestión de fallos y rendimiento y una interfaz para RRDTool - a Time Series Database (TSDB). Al utilizar la inyección SQL detectada y el procesamiento insuficiente de la ruta del archivo incluido, es posible ejecutar código arbitrario en el servidor. La explotación de la vulnerabilidad es posible para un usuario autorizado. El componente vulnerable es `link.php`. Impacto de la vulnerabilidad de ejecución de código arbitrario en el servidor.
Multiple security vulnerabilities have been discovered in Cacti, a web interface for graphing of monitoring systems, which could result in cross-site scripting, SQL injection, or command injection.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2023-11-21 CVE Reserved
- 2023-12-21 CVE Published
- 2024-02-05 First Exploit
- 2025-02-13 CVE Updated
- 2025-05-11 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-98: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')
CAPEC
References (5)
| URL | Date | SRC |
|---|---|---|
| https://packetstorm.news/files/id/176995 | 2024-02-05 | |
| https://github.com/Cacti/cacti/security/advisories/GHSA-pfh9-gwm6-86vp | 2025-02-13 |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|