VulnerableCode Vulnerability Details

Staging Environment: Content and features may be unstable or change without notice.

Search for vulnerabilities

Vulnerability details: VCID-hj89-pnag-3fer

Vulnerability ID	VCID-hj89-pnag-3fer
Aliases	CVE-2024-43363
Summary	Cacti is an open source performance and fault management framework. An admin user can create a device with a malicious hostname containing php code and repeat the installation process (completing only step 5 of the installation process is enough, no need to complete the steps before or after it) to use a php file as the cacti log file. After having the malicious hostname end up in the logs (log poisoning), one can simply go to the log file url to execute commands to achieve RCE. This issue has been addressed in version 1.2.28 and all users are advised to upgrade. There are no known workarounds for this vulnerability.
Status	Published
Exploitability	0.5
Weighted Severity	6.5
Risk	3.2
Affected and Fixed Packages	Package Details

Weaknesses (1)

CWE-94

System	Score	Found at
epss	0.75133	https://api.first.org/data/v1/epss?cve=CVE-2024-43363
epss	0.75133	https://api.first.org/data/v1/epss?cve=CVE-2024-43363
epss	0.75133	https://api.first.org/data/v1/epss?cve=CVE-2024-43363
epss	0.75133	https://api.first.org/data/v1/epss?cve=CVE-2024-43363
epss	0.75133	https://api.first.org/data/v1/epss?cve=CVE-2024-43363
epss	0.75133	https://api.first.org/data/v1/epss?cve=CVE-2024-43363
cvssv3.1	7.2	https://github.com/Cacti/cacti/security/advisories/GHSA-gxq4-mv8h-6qj4
ssvc	Track*	https://github.com/Cacti/cacti/security/advisories/GHSA-gxq4-mv8h-6qj4

Reference id	Reference type	URL
		https://api.first.org/data/v1/epss?cve=CVE-2024-43363
		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-43363
GHSA-gxq4-mv8h-6qj4		https://github.com/Cacti/cacti/security/advisories/GHSA-gxq4-mv8h-6qj4

No exploits are available.

Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H Found at https://github.com/Cacti/cacti/security/advisories/GHSA-gxq4-mv8h-6qj4

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-10-08T14:21:20Z/ Found at https://github.com/Cacti/cacti/security/advisories/GHSA-gxq4-mv8h-6qj4

Exploit Prediction Scoring System (EPSS)

Date	Actor	Action	Source	VulnerableCode Version
2026-04-01T16:37:41.794147+00:00	Debian Oval Importer	Import	https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2	38.0.0