CVE-2023-39361

CRITICAL NUCLEI

Cacti - SQL Injection

Title source: rule

Description

Cacti is an open source operational monitoring and fault management framework. Affected versions are subject to a SQL injection discovered in graph_view.php. Since guest users can access graph_view.php without authentication by default, if guest users are being utilized in an enabled state, there could be the potential for significant damage. Attackers may exploit this vulnerability, and there may be possibilities for actions such as the usurpation of administrative privileges or remote code execution. This issue has been addressed in version 1.2.25. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Exploits (2)

nomisec WRITEUP
by ChoDeokCheol · poc
https://github.com/ChoDeokCheol/CVE-2023-39361
nomisec WRITEUP
by HPT-Intern-Task-Submission · poc
https://github.com/HPT-Intern-Task-Submission/CVE-2023-39361

Nuclei Templates (1)

Cacti 1.2.24 - SQL Injection
CRITICALVERIFIEDby ritikchaddha
Shodan: title:"Login to Cacti" || http.title:"login to cacti" || http.title:"cacti" || http.favicon.hash:"-1797138069"
FOFA: icon_hash="-1797138069" || title="cacti" || title="login to cacti"

References (6)

Scores

CVSS v3 9.8
EPSS 0.9228
EPSS Percentile 99.7%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-89
Status published
Products (3)
cacti/cacti 1.2.24
fedoraproject/fedora 37
fedoraproject/fedora 38
Published Sep 05, 2023
Tracked Since Feb 18, 2026