Main Vulnerability Database SB2013080606

SB2013080606 - Code Injection in cacti (Alpine package)

Published: August 6, 2013

Security Bulletin ID SB2013080606

CSH Severity

Medium

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Data manipulation

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 vulnerability.

1) Code Injection (CVE-ID: CVE-2013-1435)

CWE-ID: CWE-94 - Improper Control of Generation of Code ('Code Injection')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote non-authenticated attacker to read and manipulate data.

(1) snmp.php and (2) rrd.php in Cacti before 0.8.8b allows remote attackers to execute arbitrary commands via shell metacharacters in unspecified vectors.

Remediation

Install update from vendor's website.

References

https://git.alpinelinux.org/aports/commit/?id=6b1166aa69670d64f2077805845475d1578ffced
https://git.alpinelinux.org/aports/commit/?id=c88fc5c79c5875673a0c57f1c601d036d9aa4931
https://git.alpinelinux.org/aports/commit/?id=fc5baa3bdab71d5d17ccaba0cf040f2bec2d7f7d