VDB
DEBIAN-CVE-2024-31459
DEBIAN-CVE-2024-31459
PUBLISHED
CVSS 7.199999809265137 HIGH
Cacti provides an operational monitoring and fault management framework. Prior to version 1.2.27, there is a file inclusion issue in the `lib/plugin.php` file. Combined with SQL injection vulnerabilities, remote code execution can be implemented. There is a file inclusion issue with the `api_plugin_hook()` function in the `lib/plugin.php` file, which reads the plugin_hooks and plugin_config tables in database. The read data is directly used to concatenate the file path which is used for file inclusion. Version 1.2.27 contains a patch for the issue.
Risk Scores
CVSS v3.1
7.199999809265137
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Debian:14 | cacti | 0 |
| Debian:12 | cacti | 1.2.24+ds1, 1.2.24+ds1, 1.2.24+ds1 |
| Debian:13 | cacti | 0, 0 |
| Debian:11 | cacti | 1.2.16+ds1-2, 1.2.16+ds1, 1.2.16+ds1 |
Timeline
- May 14, 2024 CVE Published
- May 10, 2026 CVE Updated