CVE-2019-17358

HIGH

Cacti < 1.2.7 - Out-of-Bounds Write

Title source: rule
STIX 2.1

Description

Cacti through 1.2.7 is affected by multiple instances of lib/functions.php unsafe deserialization of user-controlled data to populate arrays. An authenticated attacker could use this to influence object data values and control actions taken by Cacti or potentially cause memory corruption in the PHP module.

References (14)

Core 14
Core References
Not Applicable x_refsource_misc
https://www.darkmatter.ae/xen1thlabs/
Mailing List, Third Party Advisory x_refsource_misc
https://lists.debian.org/debian-lts-announce/2019/12/msg00014.html
Issue Tracking, Third Party Advisory x_refsource_misc
https://github.com/Cacti/cacti/issues/3026
Issue Tracking, Third Party Advisory x_refsource_misc
https://bugzilla.suse.com/show_bug.cgi?id=CVE-2019-17358
Mailing List mailing-list x_refsource_bugtraq
https://seclists.org/bugtraq/2020/Jan/25
Third Party Advisory vendor-advisory x_refsource_debian
https://www.debian.org/security/2020/dsa-4604
Third Party Advisory vendor-advisory x_refsource_gentoo
https://security.gentoo.org/glsa/202003-40

Scores

CVSS v3 8.1
EPSS 0.0230
EPSS Percentile 84.8%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H

Details

CWE
CWE-502 CWE-787
Status published
Products (3)
cacti/cacti < 1.2.7
debian/debian_linux 8.0
opensuse/leap 42.3
Published Dec 12, 2019
Tracked Since Feb 18, 2026