Cacti provides an operational monitoring and fault management framework. Version 1.2.25 has a Blind SQL Injection (SQLi) vulnerability within the SNMP Notification Receivers feature in the file `‘managers.php’`. An authenticated attacker with the “Settings/Utilities” permission can send a crafted HTTP GET request to the endpoint `‘/cacti/managers.php’` with an SQLi payload in the `‘selected_graphs_array’` HTTP GET parameter. As of time of publication, no patched versions exist.

CVE-2023-51448 is a blind SQL Injection vulnerability that requires credentials in order to exploit. However, if chained with another unpatched Cacti vulnerability, an exploit chain could lead to a compromise. Tenable Research is monitoring this vulnerability for additional information.

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available.

  - Cacti provides an operational monitoring and fault management framework. Version 1.2.25 has a Blind SQL     Injection (SQLi) vulnerability within the SNMP Notification Receivers feature in the file     `managers.php'`. An authenticated attacker with the Settings/Utilities permission can send a crafted     HTTP GET request to the endpoint `/cacti/managers.php'` with an SQLi payload in the     `selected_graphs_array'` HTTP GET parameter. As of time of publication, no patched versions exist.
    (CVE-2023-51448)

Note that Nessus relies on the presence of the package as reported by the vendor.

The remote Fedora 39 host has packages installed that are affected by multiple vulnerabilities as referenced in the FEDORA-2024-27a594f71d advisory.

    Update cacti and cacti-spine to version 1.2.27. This includes the upstream fixes for many CVEs, including     a critical remote code execution bug.

    - https://github.com/Cacti/cacti/blob/release/1.2.27/CHANGELOG
    - https://github.com/Cacti/spine/blob/release/1.2.27/CHANGELOG

Tenable has extracted the preceding description block directly from the Fedora security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The version of cacti installed on the remote host is prior to 1.1.19-6.24. It is, therefore, affected by a vulnerability as referenced in the ALAS-2024-1915 advisory.

    Cacti provides an operational monitoring and fault management framework. Version 1.2.25 has a Blind SQL     Injection (SQLi) vulnerability within the SNMP Notification Receivers feature in the file     `'managers.php'`. An authenticated attacker with the Settings/Utilities permission can send a crafted     HTTP GET request to the endpoint `'/cacti/managers.php'` with an SQLi payload in the     `'selected_graphs_array'` HTTP GET parameter. As of time of publication, no patched versions exist.
    (CVE-2023-51448)

Tenable has extracted the preceding description block directly from the tested product security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote openSUSE 15 host has packages installed that are affected by multiple vulnerabilities as referenced in the openSUSE-SU-2024:0031-1 advisory.

  - Cacti is a robust performance and fault management framework and a frontend to RRDTool - a Time Series     Database (TSDB). While using the detected SQL Injection and insufficient processing of the include file     path, it is possible to execute arbitrary code on the server. Exploitation of the vulnerability is     possible for an authorized user. The vulnerable component is the `link.php`. Impact of the vulnerability     execution of arbitrary code on the server. (CVE-2023-49084)

  - Cacti provides an operational monitoring and fault management framework. In versions 1.2.25 and prior, it     is possible to execute arbitrary SQL code through the `pollers.php` script. An authorized user may be able     to execute arbitrary SQL code. The vulnerable component is the `pollers.php`. Impact of the vulnerability
    - arbitrary SQL code execution. As of time of publication, a patch does not appear to exist.
    (CVE-2023-49085)

  - Cacti is a robust performance and fault management framework and a frontend to RRDTool - a Time Series     Database (TSDB). Bypassing an earlier fix (CVE-2023-39360) that leads to a DOM XSS attack. Exploitation of     the vulnerability is possible for an authorized user. The vulnerable component is the `graphs_new.php`.
    Impact of the vulnerability - execution of arbitrary javascript code in the attacked user's browser. This     issue has been patched in version 1.2.26. (CVE-2023-49086)

  - Cacti is an open source operational monitoring and fault management framework. The fix applied for     CVE-2023-39515 in version 1.2.25 is incomplete as it enables an adversary to have a victim browser execute     malicious code when a victim user hovers their mouse over the malicious data source path in     `data_debug.php`. To perform the cross-site scripting attack, the adversary needs to be an authorized     cacti user with the following permissions: `General Administration>Sites/Devices/Data`. The victim of this     attack could be any account with permissions to view `http://<HOST>/cacti/data_debug.php`. As of time of     publication, no complete fix has been included in Cacti. (CVE-2023-49088)

  - Cacti is an open source operational monitoring and fault management framework. A reflection cross-site     scripting vulnerability was discovered in version 1.2.25. Attackers can exploit this vulnerability to     perform actions on behalf of other users. The vulnerability is found in `templates_import.php.` When     uploading an xml template file, if the XML file does not pass the check, the server will give a JavaScript     pop-up prompt, which contains unfiltered xml template file name, resulting in XSS. An attacker exploiting     this vulnerability could execute actions on behalf of other users. This ability to impersonate users could     lead to unauthorized changes to settings. As of time of publication, no patched versions are available.
    (CVE-2023-50250)

  - Cacti provides an operational monitoring and fault management framework. Version 1.2.25 has a Blind SQL     Injection (SQLi) vulnerability within the SNMP Notification Receivers feature in the file     `managers.php'`. An authenticated attacker with the Settings/Utilities permission can send a crafted     HTTP GET request to the endpoint `/cacti/managers.php'` with an SQLi payload in the     `selected_graphs_array'` HTTP GET parameter. As of time of publication, no patched versions exist.
    (CVE-2023-51448)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Severity
258575	Linux Distros Unpatched Vulnerability : CVE-2023-51448	Nessus	Misc.	high
198241	Fedora 39 : cacti / cacti-spine (2024-27a594f71d)	Nessus	Fedora Local Security Checks	critical
190045	Amazon Linux AMI : cacti (ALAS-2024-1915)	Nessus	Amazon Linux Local Security Checks	high
189492	openSUSE 15 Security Update : cacti, cacti-spine (openSUSE-SU-2024:0031-1)	Nessus	SuSE Local Security Checks	high

Detections

Analytics

CVE-2023-51448

high

Tenable Plugins

high

critical

high

high