CVE-2023-39362

HIGH Year: 2023
CVSS v3 Score
7.2
High
Weakness Type
CWE-78
View all →

Vulnerability Description

Cacti is an open source operational monitoring and fault management framework. In Cacti 1.2.24, under certain conditions, an authenticated privileged user, can use a malicious string in the SNMP options of a Device, performing command injection and obtaining remote code execution on the underlying server. The `lib/snmp.php` file has a set of functions, with similar behavior, that accept in input some variables and place them into an `exec` call without a proper escape or validation. This issue has been addressed in version 1.2.25. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Related Vulnerabilities

CVE-2013-3322

HIGH
CVSS:7.2(High)

NetApp OnCommand System Manager 2.1 and earlier allows remote attackers to inject arbitrary commands in the Halt/Reboot interface.

CWE-782013

CVE-2015-2201

HIGH
CVSS:7.2(High)

Aruba AirWave before 7.7.14.2 and 8.x before 8.0.7 allows VisualRF remote OS command execution and file disclosure by administrative users.

CWE-782015

CVE-2016-11021

HIGH
CVSS:7.2(High)

setSystemCommand on D-Link DCS-930L devices before 2.12 allows a remote attacker to execute code via an OS command in the SystemCommand parameter.

CWE-782016

CVE-2016-11022

HIGH
CVSS:7.2(High)

NETGEAR Prosafe WC9500 5.1.0.17, WC7600 5.1.0.17, and WC7520 2.5.0.35 devices allow a remote attacker to execute code with root privileges via shell metacharacters in the reqMethod parameter to login_...

CWE-782016

CVE-2016-11054

HIGH
CVSS:7.2(High)

NETGEAR DGN2200v4 devices before 2017-01-06 are affected by command execution and an FTP insecure root directory.

CWE-782016

CVE-2016-6373

HIGH
CVSS:7.2(High)

The web-based GUI in Cisco Cloud Services Platform (CSP) 2100 2.0 allows remote authenticated administrators to execute arbitrary OS commands as root via crafted platform commands, aka Bug ID CSCva005...

CWE-782016