Vulnerability CVE-2014-4000


Published: 2017-11-15

Description:
Cacti before 1.0.0 allows remote authenticated users to conduct PHP object injection attacks and execute arbitrary PHP code via a crafted serialized object, related to calling unserialize(stripslashes()).

Type:

CWE-94

(Improper Control of Generation of Code ('Code Injection'))

Vendor: Cacti
Product: Cacti 
Version:
0.8.8g
0.8.8f
0.8.8d
0.8.8c
0.8.8b
0.8.8a
0.8.8
0.8.7i
0.8.7h
0.8.7g
0.8.7f
0.8.7e
0.8.7d
0.8.7c
0.8.7b
0.8.7a
0.8.7
0.8.6k
0.8.6j
0.8.6i
0.8.6h
0.8.6g
0.8.6f
0.8.6e
0.8.6d
0.8.6c
0.8.6b
0.8.6a
0.8.6
0.8.5a
0.8.5
0.8.4
0.8.3a
0.8.3
0.8.2a
0.8.2
0.8.1
0.8

CVSS2 => (AV:N/AC:L/Au:S/C:P/I:P/A:P)

CVSS Base Score
Impact Subscore
Exploitability Subscore
6.5/10
6.4/10
8/10
Exploit range
Attack complexity
Authentication
Remote
Low
Single time
Confidentiality impact
Integrity impact
Availability impact
Partial
Partial
Partial

 References:
https://forums.cacti.net/viewtopic.php?f=4&t=56794
https://security-tracker.debian.org/tracker/CVE-2014-4000
https://security.gentoo.org/glsa/201711-10
https://www.cacti.net/release_notes_1_0_0.php

Related CVE
CVE-2018-10061
Cacti before 1.1.37 has XSS because it makes certain htmlspecialchars calls without the ENT_QUOTES flag (these calls occur when the html_escape function in lib/html.php is not used).
CVE-2018-10060
Cacti before 1.1.37 has XSS because it does not properly reject unintended characters, related to use of the sanitize_uri function in lib/functions.php.
CVE-2018-10059
Cacti before 1.1.37 has XSS because the get_current_page function in lib/functions.php relies on $_SERVER['PHP_SELF'] instead of $_SERVER['SCRIPT_NAME'] to determine a page name.
CVE-2016-10700
auth_login.php in Cacti before 1.0.0 allows remote authenticated users who use web authentication to bypass intended access restrictions by logging in as a user not in the cacti database, because the guest user is not considered. NOTE: this vulnerabi...
CVE-2017-16785
Cacti 1.1.27 has reflected XSS via the PATH_INFO to host.php.
CVE-2017-16661
Cacti 1.1.27 allows remote authenticated administrators to read arbitrary files by placing the Log Path into a private directory, and then making a clog.php?filename= request, as demonstrated by filename=passwd (with a Log Path under /etc) to read /e...
CVE-2017-16660
Cacti 1.1.27 allows remote authenticated administrators to conduct Remote Code Execution attacks by placing the Log Path under the web root, and then making a remote_agent.php request containing PHP code in a Client-ip header.
CVE-2017-16641
lib/rrd.php in Cacti 1.1.27 allows remote authenticated administrators to execute arbitrary OS commands via the path_rrdtool parameter in an action=save request to settings.php.

Copyright 2018, cxsecurity.com

 

Back to Top