Main Vulnerability Database Vulnerabilities #VU84816

#VU84816 PHP file inclusion in Cacti - CVE-2023-49084

Published: December 27, 2023 / Updated: February 2, 2024

Vulnerability identifier: #VU84816

Vulnerability risk: Medium

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A/U:Green

CVE-ID: CVE-2023-49084

CWE-ID: CWE-98

Exploitation vector: Remote access

Exploit availability: Public exploit is available

Vulnerable software:
Cacti

Software vendor:
The Cacti Group, Inc.

Description

The vulnerability allows a remote user to include and execute arbitrary PHP files on the server.

The vulnerability exists due to incorrect input validation when including PHP files in link.php. A remote user can send a specially crafted HTTP request to the affected application, include and execute arbitrary PHP code on the system with privileges of the web server.

Remediation

Install update from vendor's website.

External links

https://github.com/Cacti/cacti/security/advisories/GHSA-pfh9-gwm6-86vp

#VU84816 PHP file inclusion in Cacti - CVE-2023-49084

Description

Remediation

External links

Please verify you're human