Vulnerability Details : CVE-2014-5261
The graph settings script (graph_settings.php) in Cacti 0.8.8b and earlier allows remote attackers to execute arbitrary commands via shell metacharacters in a font size, related to the rrdtool commandline in lib/rrd.php.
Products affected by CVE-2014-5261
- cpe:2.3:a:cacti:cacti:*:*:*:*:*:*:*:*
- cpe:2.3:a:cacti:cacti:0.8.7a:*:*:*:*:*:*:*
- cpe:2.3:a:cacti:cacti:0.8.7:*:*:*:*:*:*:*
- cpe:2.3:a:cacti:cacti:0.8.7e:*:*:*:*:*:*:*
- cpe:2.3:a:cacti:cacti:0.8.7d:*:*:*:*:*:*:*
- cpe:2.3:a:cacti:cacti:0.8.7c:*:*:*:*:*:*:*
- cpe:2.3:a:cacti:cacti:0.8.7b:*:*:*:*:*:*:*
- cpe:2.3:a:cacti:cacti:0.8.7g:*:*:*:*:*:*:*
- cpe:2.3:a:cacti:cacti:0.8.7f:*:*:*:*:*:*:*
- cpe:2.3:a:cacti:cacti:0.8.7i:*:*:*:*:*:*:*
- cpe:2.3:a:cacti:cacti:0.8.8:*:*:*:*:*:*:*
- cpe:2.3:a:cacti:cacti:0.8.6e:*:*:*:*:*:*:*
- cpe:2.3:a:cacti:cacti:0.8.8a:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2014-5261
1.28%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 86 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2014-5261
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
7.5
|
HIGH | AV:N/AC:L/Au:N/C:P/I:P/A:P |
10.0
|
6.4
|
NIST |
CWE ids for CVE-2014-5261
-
The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.Assigned by: nvd@nist.gov (Primary)
References for CVE-2014-5261
-
https://security.gentoo.org/glsa/201607-05
Cacti: Multiple vulnerabilities (GLSA 201607-05) — Gentoo security
-
https://bugzilla.redhat.com/show_bug.cgi?id=1127165
1127165 – cacti has remote code execution vulnerability
-
http://seclists.org/oss-sec/2014/q3/386
oss-sec: Re: CVE id request: cacti remote code execution and SQL injection
-
http://www.securityfocus.com/bid/69213
Cacti Multiple Unspecified Security Vulnerabilities
-
http://www.debian.org/security/2014/dsa-3007
Debian -- Security Information -- DSA-3007-1 cacti
-
http://seclists.org/oss-sec/2014/q3/351
oss-sec: CVE id request: cacti remote code execution and SQL injection
-
http://svn.cacti.net/viewvc?view=rev&revision=7454
Patch
-
https://exchange.xforce.ibmcloud.com/vulnerabilities/95292
Cacti graph_settings.php SQL injection CVE-2014-5262 Vulnerability Report
Jump to