CVE-2023-39361

Name of the Vulnerable Software and Affected Versions Cacti versions prior to 1.2.25

Description Cacti is an open source operational monitoring and fault management framework. A SQL injection vulnerability was discovered in graph view.php. Since guest users can access graph view.php without authentication by default, there could be potential for significant damage if guest users are being utilized in an enabled state. Attackers may exploit this vulnerability, potentially leading to actions such as the usurpation of administrative privileges or remote code execution.

Recommendations For versions prior to 1.2.25, upgrade to version 1.2.25 or later to address the SQL injection vulnerability. As a temporary workaround, consider disabling access to graph view.php for guest users until a patch is available. Restrict access to the vulnerable graph view.php file to minimize the risk of exploitation. Avoid using the grow right pane tree() function in the affected graph view.php file until the issue is resolved.