CVE-2024-31459

Name
CVE-2024-31459
Description
Cacti provides an operational monitoring and fault management framework. Prior to version 1.2.27, there is a file inclusion issue in the `lib/plugin.php` file. Combined with SQL injection vulnerabilities, remote code execution can be implemented. There is a file inclusion issue with the `api_plugin_hook()` function in the `lib/plugin.php` file, which reads the plugin_hooks and plugin_config tables in database. The read data is directly used to concatenate the file path which is used for file inclusion. Version 1.2.27 contains a patch for the issue.
NVD Severity
unknown
Other trackers
Mailing lists
Exploits
Forges
GitHub (code, issues), Aports (code, issues)

References

Type URI
security-advisories@github.com https://github.com/Cacti/cacti/security/advisories/GHSA-cx8g-hvq8-p2rv
security-advisories@github.com https://github.com/Cacti/cacti/security/advisories/GHSA-gj3f-p326-gh8r
security-advisories@github.com https://github.com/Cacti/cacti/security/advisories/GHSA-pfh9-gwm6-86vp

Match rules

CPE URI Source package Min version Max version

Vulnerable and fixed packages

Source package Branch Version Maintainer Status
cacti edge-community 1.2.27-r0 Jeff Bilyk <jbilyk@gmail.com> fixed
cacti 3.19-community 1.2.27-r0 Jeff Bilyk <jbilyk@gmail.com> fixed
cacti 3.20-community 1.2.27-r0 Jeff Bilyk <jbilyk@gmail.com> fixed